As I return from Las Vegas, I’ve been reflecting on some spirited debates I had around the topic of regulation and sanctions related to the Web3 space. This is a highly contentious topic, especially around decentralized finance. So, I thought I’d jot down a quick note of my thoughts on the subject.

I delivered a talk on Web3 security at Black Hat USA. A couple of days earlier, the US government imposed sanctions against Tornado Cash. Tornado Cash is a cryptocurrency mixer on the Ethereum blockchain that anonymizes transactions to avoid tracking. It’s become a favorite among criminals to launder ill-gotten gains, including nation-states like the DPRK. It’s been estimated that at least $1.54 billion resulting from crimes such as thefts and hacks have been laundered through Tornado Cash. Being relevant, I briefly mentioned it in my talk since one of the first things you must do before attacking a project is to plan your exit strategy. After all, money laundering 101 is to move fast to confuse tracking attempts.

Privacy

To people not involved in the space, it may be confusing why anyone needs to be private or anonymous while sending or receiving cryptocurrency. The reality is that people are acting as their own bank. If you identify a specific individual and you know that person has a certain number of assets, then you can just show up at their house and force them to hand over their money. It’s a legitimate concern.

Also, with the public nature of these technologies, it could make it far easier to analyze purchase histories and patterns to learn deeper insights about individuals. The same kind of privacy violations we are concerned about today outside of the Web3 space. This becomes much worse for people living under oppressive regimes.

Most of all, it’s just not anyone’s business what people spend their money on. Certainly not so they can create algorithms to learn more about our spending habits and try to convince us to buy things we don’t need.

I mean, it’s not like traditional organizations have a great track record of protecting people’s privacy. There are countless breaches and disclosures that prove otherwise. So, that leaves us with a bit of a conundrum.

Typically, when this topic is brought up, two major talking points bubble to the surface. Let me do a bit of debunking about why these two points don’t mean that we shouldn’t do anything about illicit activities.

Cash

One of the arguments I hear is that cash is anonymous. This may be true in theory, but there are some significant challenges. Probably the biggest point is that cash isn’t frictionless. If you don’t believe me, try to move 100 million dollars across an international border or trade one currency for another. In small amounts, sure, but when you are trying to launder large amounts of money, it isn’t.

There are other choke points as well, where you have an opportunity to catch someone who’s stolen a large amount of money. Video cameras at establishments, border checks, scanners at airports, and on and on. Not to mention there’s also the time factor. It takes a lot more time to move physical cash than it does an electronic transaction creating more opportunities for detection.

In reality, cash is only anonymous in small amounts and under the right conditions.

Decentralization

There’s been a surprising lack of effort on behalf of the community to address issues like money laundering and theft. In fact, the attitude of the community has been pretty much the opposite. Many proponents say that this is the purpose of decentralization in the first place. To resist efforts to regulate and sanction.

In a more extreme case, there was even the Ethereum developer who went to North Korea for the purpose of helping the DPRK evade sanctions. Even though most advocates wouldn’t go to North Korea, these aren’t fringe opinions and quite a few people in the space supported Virgil Griffith.

Decentralization means a lack of ownership. Unfortunately, this lack of ownership also extends to the issues created by decentralization as well. Whenever issues of money laundering arise, the resounding response is, “that’s just how the system works.” Just because something is decentralized doesn’t mean there is nothing that can be done.

Another comment I hear is that illicit transactions make up a small amount of the total transactions, so why is anyone concerned about it? It’s true that money laundering and illicit transactions make up a small number of the total number of transactions per year, but we are still talking about billions of dollars. Not to mention, some of these networks have become the primary vehicle for criminals. This is also not an excuse to do nothing about it.

More Regulation and Sanctions

If there’s one thing that’s for sure, it’s that we’ll see more regulation and sanctions coming soon. Tornado Cash isn’t the only game in town. More regulations and sanctions are coming because the community is completely unwilling to address these concerns in any meaningful way.

Sanctions and regulations often create more friction than directly addressing an issue. This is because they are rarely implanted well and are part of a knee-jerk reaction. For example, someone sent Crypto Influencers small amounts of ETH from sanctioned Tornado Cash wallets, getting them banned from using Defi projects, which is kind of funny. Ironically, it’s the same lack of friction that these influencers tout that allows this to happen.

Another side effect of the sanctions is that legitimate users doing nothing wrong may have had their assets frozen.

Given all of this trouble, you’d think that the community would be looking for ways to avoid these situations in the future, but mostly what’s happening is complaining about how things aren’t “decentralized” enough.

If you are in full schadenfreude around what’s happening, you should take a pause. Even if you don’t care about Defi and web3, that doesn’t mean you shouldn’t care about what’s happening. There’s the potential here for blowback onto other privacy controls outside of the web3 space. The more of these sanctions we see, the more comfortable the government gets with creeping into other areas, such as weakening the encryption we use on a daily basis and take for granted. There are also issues concerning code and free speech in the blast radius of these sanctions.

Prevention is the Best Cure

The best way around sanctions and regulations is not to incur them in the first place. So, what could the community do? Projects could band together and create something like a Defi Standards body. This group could define standards that address security and privacy as well as curtailing illicit transactions. The adoption of these standards would mean that projects that don’t follow them have a low reputation and legitimate Defi projects can refuse to work with them. Certainly not perfect, but it would have a positive impact.

Unfortunately, using controls to curtail illicit transactions requires the introduction of friction. Controls such as delays, additional verification, transaction limiting, and many others are considered unpalatable and anti-freedom.

So, don’t hold your breath that something like this will happen without being forced. Creating standards is something that traditional organizations do and it doesn’t apply. Rules are for squares man!!! You’d think an attempt to stop the movement of funds stolen from other Defi projects would at least be a start and directly applicable to the space, but there aren’t any real efforts here.

There’s too many chains, too many projects, making too many problems, and not enough love to go around. (Sorry for the music reference, once I saw it, I couldn’t unsee it. Bravo if you know the song.)

Conclusion

As long as the Web3 space continues to do nothing to curtail harm, we’ll see more regulation and sanctions. The community seems to think these are a result of some sort of threat to traditional institutions. As long as this mindset persists, instead of the fact that ill-gotten gains are helping fund nation-state nuclear ambitions, we won’t see meaningful solutions from the Web3 side. The community seems content to duke it out with various countries around the world instead of addressing the issues.

The next couple of years will be interesting.