Written by: Liu Honglin, Attorney at Mankiw LLP
On August 9, an official statement released by OKX on social media caused an uproar. OKX stated that any deposit from Tornado Cash to OKX or withdrawal from OKX to Tornado Cash will trigger account liquidation, without any exceptions. This news quickly sparked widespread discussion, especially on issues involving user privacy and platform compliance.
In this context, some users have raised questions about how to deal with "poisoning attacks", that is, malicious third parties deliberately transfer funds to an OKX account through Tornado Cash to cause the account to be blocked. In response, OKX said that it will conduct an in-depth investigation into each case and will not directly block an account just because it passively receives such funds.
Netizen Satoshi Friends also released a relevant statement. He pointed out that he has been a partner of the OKX exchange since 2019 and actively recommends the platform. However, since May 2024, OKX's policy on users from the Commonwealth of Independent States (CIS) has suddenly become extremely strict, which has forced him to call on all relevant users to withdraw funds immediately and suspend the use of the platform. He emphasized that his account has been blocked and the years of recommended user incentives have been frozen. Only after communicating with the exchange will it be possible to force the exchange to release these funds. He reminded netizens that everyone is at risk of having their accounts frozen, without exception, whether ordinary users or influencers/partners.
Satoshi Friends’ comments have attracted great attention in the cryptocurrency community, especially after he mentioned that several influential users’ accounts have also encountered similar problems. This has further raised questions about OKX’s compliance policies and concerns about the safety of user assets.
In-depth analysis from the perspective of legal compliance
The influence of the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) in the cryptocurrency sector cannot be underestimated. OFAC regularly publishes and updates sanctions lists, including the so-called "Specially Designated Nationals and Blocked Persons List" (SDN List). Any transaction with entities or individuals on the SDN List, whether intentional or unintentional, may be considered a violation of U.S. law, resulting in serious legal consequences, including asset freezes, fines, and even criminal charges.
In the OKX incident, Tornado Cash has been included in OFAC's sanctions list. Tornado Cash is a decentralized privacy protocol that allows users to trade cryptocurrencies anonymously (Extended reading: "The founder of the mixer TornadoCash was sentenced to 64 months, and cryptocurrency players have mixed feelings"). However, due to its privacy protection function, it has also become a hotbed for some illegal activities, including money laundering and evading sanctions. Therefore, any transaction related to Tornado Cash may trigger OFAC sanctions, which is also the main reason why OKX must take enforcement measures.
In the past few years, several law enforcement incidents related to transactions with sanctioned entities have shown that the U.S. government has taken strict measures against violations of sanctions regulations. For example:
Bittrex incident. In 2020, the US cryptocurrency exchange Bittrex was fined $24 million by OFAC for allowing transactions with individuals from sanctioned countries, including Crimea, Cuba, Iran, Sudan, and Syria. This case demonstrates the US government's tough attitude towards cryptocurrency exchanges that violate sanctions.
BitMEX incident. Also in 2020, the founders and executives of the BitMEX exchange faced legal action for violating the Bank Secrecy Act (BSA), one of the reasons being the presence of transactions with sanctioned countries on the platform. In the end, BitMEX was fined $100 million, part of which was due to failure to prevent illegal transactions.
Tornado Cash incident. In August 2022, OFAC added Tornado Cash to the sanctions list and accused it of helping the North Korean hacker group Lazarus Group launder money. According to OFAC's allegations, Tornado Cash assisted the organization in laundering more than $455 million worth of illegal funds. This incident not only led to Tornado Cash being banned by many exchanges around the world, but also triggered extensive legal discussions on decentralized privacy tools.
The United States' International Emergency Economic Powers Act (IEEPA) and the Bank Secrecy Act (BSA) are the main legal tools for regulating compliance in cryptocurrency transactions. IEEPA gives the president broad economic sanctions power, allowing sanctions on any entity or individual deemed a threat to national security. The BSA requires financial institutions to take appropriate anti-money laundering measures, including reporting suspicious activities and customer due diligence (KYC).
For users, these legal rules mean that they must carefully choose counterparties when using cryptocurrencies. Any transactions with sanctioned entities may result in account freezing or even legal action. For cryptocurrency platforms, complying with these legal rules is not only a legal obligation, but also a necessary measure to protect their reputation and the security of user assets.
Compliance advice and best practices
In a complex and ever-changing legal environment, both platforms and users face severe compliance challenges. In order to ensure the legality and security of operations in this environment, Mankiw offers the following constructive suggestions to help platforms and users better cope with current and future legal risks.
Platform compliance measures
Strengthening KYC and AML measures
Strengthen user identity verification: The platform needs to further improve the “Know Your Customer” (KYC) process and ensure the legitimacy of users through more stringent identity verification measures. This includes multi-level identity verification, background checks, and continuous monitoring of user transaction behavior.
Real-time monitoring of transaction activities: Using advanced artificial intelligence and big data technologies, the platform can monitor all transactions in real time and identify suspicious behaviors, such as frequent small transactions, cross-border transfers, etc., so as to take timely measures to prevent violations.
Maintaining communication with global regulators
Establish a global compliance team: The platform should establish a dedicated global compliance team to maintain close communication with regulators in various countries to ensure that the platform always complies with the latest laws and regulations. Regularly participate in international conferences and seminars to understand the legal developments of various countries and respond in advance.
Compliance information transparency: While ensuring user privacy, the platform should disclose its compliance strategies and measures to enable users to understand how the platform protects their assets and complies with international legal norms. Transparent compliance policies help enhance user trust.
Adopting blockchain analysis tools
Introducing on-chain analysis: By using blockchain analysis tools, the platform can track and analyze the source and destination of on-chain transactions and identify transactions related to sanctioned entities. Such tools can help the platform take quick action, such as freezing suspicious accounts and marking high-risk transactions.
Data Sharing and Cooperation: The platform can share analytical data with other exchanges and blockchain companies to jointly build a safer cryptocurrency ecosystem and prevent the spread of criminal activities.
User education and warning system
Regular user education: Platforms can regularly publish educational materials on compliance risks and best practices, and use online lectures, articles, and videos to convey information to users on how to use the platform safely and avoid violating laws due to unintentional behavior.
Risk warning mechanism: Provide users with a real-time risk warning system, which will immediately notify users and recommend actions when capital flows related to sanctioned entities are detected. This mechanism can help users avoid potential legal risks in advance.
User Compliance Measures
Multi-channel asset management
Decentralize assets: Users should avoid concentrating all assets on one platform, but instead spread them across multiple legitimate and trusted platforms. This way, even if a platform has problems, the risk can be minimized.
Use a combination of hot and cold wallets: Store most long-term assets in cold wallets to reduce losses due to platform risks, and use hot wallets for daily transaction needs.
Improve legal awareness and compliance operations
Active due diligence: Before entering into any major transaction, users should learn as much background information as possible about the counterparty to ensure that they do not inadvertently trade with a sanctioned entity. This can be achieved through third-party due diligence services or by consulting legal counsel.
Maintain a compliance file: Users can keep a compliance file for themselves, recording the details and background of each large transaction, so that detailed explanations and evidence can be provided in the event of a dispute.
Seek legal assistance promptly: Users should establish contact with professional cryptocurrency legal advisors so that they can quickly obtain legal assistance when needed, especially when their accounts are frozen or they face legal proceedings.
Attorney Mankiw's Summary
In general, the OKX liquidation of Tornado Cash-related accounts and the urgent warning from Satoshi Friends once again reminded cryptocurrency users and platforms of the huge challenges in compliance. With the increase in regulatory efforts, more similar incidents may occur in the future. Therefore, platforms and users need to be prepared in advance and adopt comprehensive compliance strategies and protective measures to ensure the security and compliance of assets and continue to enjoy the convenience and innovation brought by decentralized finance.