top of page
DeFi Education Fund Logo (Transparent background).png
Search

US v. Storm: Background & Timeline

ree

In August 2023, developers of the Tornado Cash protocol, Roman Storm and Roman Semenov, were indicted by the U.S. Department of Justice (DOJ) on several charges, including conspiracy to commit money laundering, conspiracy to violate sanctions, and conspiracy to operate an unlicensed money‑transmitting business. 


Storm pleaded not guilty to the charges, explaining that he “is a developer, and his only agreement, together with the members of his U.S.-based company, was to build software solutions to provide financial privacy to legitimate cryptocurrency users.” He was released on bail, and has been living under house arrest. He shared his personal story and details of his experience in a compelling interview on the Crypto In America podcast. Semenov’s location is unknown.


On July 14, 2025, Storm will start trial in Manhattan. If convicted on all charges, Storm faces up to 40 years in prison. This case could set precedent on whether software developers can be held legally responsible for how others use their code. 


Since 2023, there have been multiple developments in this case. This blog was written to summarize key events. 


Unpacking the DOJ’s Allegations


On August 23, 2023, the DOJ unsealed an indictment in the Southern District of New York (SDNY) charging Tornado Cash developers Storm and Semenov with:

  1. Conspiracy to commit money laundering, in violation of 18 U.S.C. § 1956;

  2. Conspiracy to operate an unlicensed money transmitting business, in violation of 18 U.S.C. § 1960(b)(1)(B) and § 1960(b)(1)(C); and

  3. Conspiracy to violate the International Emergency Economic Powers Act (IEEPA), in violation of 50 U.S.C. § 1705.


According to the indictment, the DOJ alleges that from 2019 to 2022, Storm and Semenov “developed, marketed, and operated a cryptocurrency mixing service known as Tornado Cash, a business from which they sought to make, and did make, substantial profits.” The DOJ alleges that Tornado Cash was used by the Lazarus Group, a U.S.-sanctioned North Korean organization, to engage “in large-scale money laundering and sanctions evasion,” and that Storm and Semenov “knew a substantial portion of the funds the Tornado Cash service processed were criminal proceeds passed through the Tornado Cash service for purposes of concealment.” 


The DOJ further alleges that Storm and Semenov operated and profited from Tornado Cash by hosting its front-end website, holding governance tokens (TORN), and “maintaining the relayer algorithm.” The DOJ claims that the developers essentially “conducted, controlled, managed, supervised, directed, and owned all or part of the Tornado Cash service.” According to the DOJ’s initial indictment, Tornado Cash is allegedly a money transmitting business, and therefore its developers were required to register and implement an anti-money laundering (AML) program.


Among the charges, the DOJ alleges that Roman Storm acted in violation of 18 U.S.C. § 1960, the federal statute proscribing the operation of an unlicensed money transmission business under the Bank Secrecy Act (BSA). Under the DOJ’s novel and unprecedented allegations, Roman Storm operated Tornado Cash as an unlicensed money transmitting business despite the fact that Tornado Cash does not take custody or control over user assets, in direct contradiction to guidance from the Financial Crimes Enforcement Network (FinCEN), the BSA’s central regulator.  


Brief Overview of Tornado Cash 


In August 2019, Storm and other engineers developed and deployed a set of smart contracts, called Tornado Cash, which is a software tool for users to engage in private transactions on the Ethereum blockchain using zero-knowledge proofs. Users deposit ETH and other Ethereum-based tokens to the smart contracts from one address and withdraw an equivalent amount of tokens to a different address, without revealing any connection between the sending and receiving addresses recorded on the blockchain.


Background Timeline of Related Events 


  • On August 23, 2023, the U.S. Attorney's Office, Southern District of New York, indicted Roman Storm (see above).


  • On March 29, 2024, counsel for Roman Storm filed a motion to dismiss. His motion was supported by an amicus brief submitted by DeFi Education Fund (DEF) and many other organizations. DEF provided additional arguments on the conspiracy to launder money and the conspiracy to violate the IEEPA charges. 


  • On May 9, 2024, Senators Cynthia Lummis (R-WY) and Ron Wyden (D-OR) sent a bipartisan letter to Attorney General Merrick Garland questioning the DOJ’s interpretation of money transmission laws in the context of open-source software.

 

  • Despite these efforts, on September 26, 2024, the court denied Storm’s motion to dismiss. 


  • In November 2024, the Fifth Circuit Court of Appeals made a monumental ruling that the Office of Foreign Assets Control (OFAC) had overstepped its authority by sanctioning Tornado Cash smart contracts when they published the sanctions in August 2022. Also in November 2024, several Democratic members of Congress sent a letter to Treasury Secretary Janet Yellen and other officials requesting detailed information about the government’s actions regarding Tornado Cash.


  • On January 23, 2025, after his inauguration, President Donald Trump signed Executive Order 14178 “Strengthening American Leadership in Digital Financial Technology.” The EO called for the promotion of U.S. leadership in digital assets and blockchain innovation while safeguarding economic liberty. The EO also included language stating that the policy of the United States is aimed at “protecting and promoting the ability of individual citizens and private-sector entities alike to access and use for lawful purposes open public blockchain networks without persecution, including the ability to develop and deploy software, to participate in mining and validating, to transact with other persons without unlawful censorship, and to maintain self-custody of digital assets.”


  • On March 21, 2025, OFAC delisted the Tornado Cash website and smart contracts from the Specially Designated Nationals and Blocked Persons (SDN) list. DEF subsequently published a blog post detailing the delistment, as well as providing a deep dive of the potential implications of such an action. OFAC claimed to do so at its “discretion,” implying it could redesignate them in some capacity. Roman Semenov remains on the SDN list.


  • In April 2025, the Deputy Attorney General (DAG), Todd Blanche, issued a memo entitled “Ending Regulation by Prosecution.” The Memo makes clear that the era of regulation by prosecution is over, emphasizing: “The Department of Justice is not a digital assets regulator.” In the memo, the DAG instructs prosecutors not to “charge regulatory violations in cases involving digital assets.” These regulatory violations include, but are not limited to: “unlicensed money transmitting under Section 1960(B)(1)(A) and (B), violations of the Bank Secrecy Act, unregistered securities offering violations, unregistered broker-dealer violations, and other violations of registration requirements under the Commodity Exchange Act.” Of note, the DAG explained, in a footnote, that Section 1960(b)(1)(C) is not within the scope of this new policy.


  • On April 28, 2025, a ruling by the U.S. District Court for the Western District of Texas held that OFAC acted unlawfully when it added Tornado Cash’s smart contracts to the Specially Designated Nationals (SDN) list and permanently enjoined the agency from enforcing those sanctions. 


  • On May 15, 2025, in accordance with the DAG memo, the DOJ filed notice that they were choosing to no longer pursue one theory of its three charges against Roman Storm—the Section 1960(b)(1)(B) charge alleging operation of an unlicensed money transmitting business under federal registration laws—but would continue to trial on the other charges. The charges that remain include the conspiracy to commit money laundering under 18 U.S.C. § 1956, conspiracy to operate an unlicensed money transmitting business under 18 U.S.C. § 1960(b)(1)(C), and conspiracy to violate IEEPA under 50 U.S.C. § 1705. DEF wrote a short X thread summarizing the update. 


  • Storm’s trial begins in Manhattan on July 14, 2025


DEF’s PERSPECTIVE 


In addition to an amicus brief that we submitted in April 2024, the DEF team continues to advocate for software developers. Our position is clear: software developers of noncustodial peer-to-peer protocols do not exercise control or custody over user assets and are thus not running money transmitting businesses or financial institutions under the BSA. 


This conclusion is supported by FinCEN in its 2019 Guidance, which explains that money transmitters must “accept and transmit” value on behalf of others, and that those who do not exercise “total independent control” over user assets are not money transmitters under the BSA. The BSA statute, 31 U.S.C. § 5330, defines what it means to be an unlicensed money transmitting business under federal law. FinCEN has long taken the view that the “production and distribution of software” itself does not constitute money transmission and that “total independent control” over third-party funds is necessary for someone to be a money transmitter. And the industry has relied on this guidance since 2019.


While Section 5330 establishes the federal registration requirement, Section 1960 imposes criminal liability for knowingly operating an unlicensed money transmitting business without registration under state or federal law, or if such activity “otherwise involves the transportation or transmission of funds that are known to the defendant to have been derived from a criminal offense or are intended to be used to promote or support unlawful activity.” However, any allegation of wrongdoing under any provision of Section 1960—including the latter provision, 1960(b)(1)(C)—must include the allegation that the person is operating a “money transmitting” business, defined as “transferring funds on behalf of” another person under Section 1960(b)(2). The plain meaning of those words means that the accused must have control over another person’s funds in order to “transfer” them “on [their] behalf”. It is clear that by continuing any allegations of wrongdoing under Section 1960, the DOJ has stretched interpretation of Section 1960(b)(2) beyond its proper limits


Under any fair reading of the law and guidance, the Section 1960 charge should be dismissed and should not be applied to noncustodial software developers. The case against Storm exemplifies a troubling trend of the DOJ pushing its interpretation of “transferring funds” to include noncustodial software developers. Today, the target is Tornado Cash. But under such a sweeping interpretation, tomorrow it could be the developers of a VPN, an encrypted messaging app, or a peer-to-peer file sharing tool. This prosecution threatens not only individual developers, but the very foundational principles of open-source innovation and digital privacy.


RESOURCES


Some helpful links:

  • To access the legal docket for free: click here

  • To read a legal paper analyzing Section 1960 and the DOJ’s flawed interpretation of it, entitled “Through the Looking Glass: Conceptualizing Control and Analyzing Criminal Liability For Unlicensed Money Transmitting Businesses Under Section 1960” by Daniel Barabander, Amanda Tuminelli, Jake Chervinsky: click here.

  • To read DEF’s detailed initial summary of the indictment: click here

  • For additional information about the DAG Memo: click here


The DeFi community is rallying to defend the rights of developers building non-custodial, open-source software and to support both Storm and Pertsev, key developers behind Tornado Cash.

 
 
 

Comments

bottom of page