Developers Are Going to Prison for Writing Code
In May 2024, Dutch courts sentenced Tornado Cash developer Alexey Pertsev to 64 months in prison for money laundering. His crime? Writing open-source software that let people make private cryptocurrency transactions. [1]
In November 2025, Samourai Wallet's founders received 4-5 year sentences. Roman Storm faces a partial guilty verdict. The Treasury sanctioned—then unsanctioned—Tornado Cash's smart contracts. And North Korean hackers stole $1.34 billion in 2024 alone. [2] [3]
This is the crypto privacy crackdown, and it's reshaping what's legal to build.
The Tornado Cash Timeline
What Tornado Cash Did
Tornado Cash was a decentralized mixer on Ethereum. Users deposited crypto, which was pooled with other users' funds, then withdrawn to different addresses. The result: transactions that couldn't be easily traced on the blockchain. [4]
It was open-source code running on immutable smart contracts. Once deployed, even the developers couldn't change or stop it.
August 8, 2022: OFAC Sanctions
The Treasury Department's Office of Foreign Assets Control (OFAC) added Tornado Cash to the Specially Designated Nationals list. For the first time ever, OFAC sanctioned a decentralized protocol rather than individuals. Using Tornado Cash became illegal for U.S. citizens. [5]
August 10, 2022: Alexey Pertsev Arrested
Two days after the sanctions, Dutch authorities arrested developer Alexey Pertsev in Amsterdam on suspicion of "involvement in concealing criminal financial flows and facilitating money laundering." [1]
May 14, 2024: Pertsev Convicted
A Dutch court found Pertsev guilty of money laundering and sentenced him to 64 months (5 years and 4 months) in prison. Prosecutors accused him of laundering $1.2 billion worth of crypto through Tornado Cash. [1]
On February 7, 2025, Pertsev was released to house arrest with electronic monitoring to prepare his appeal. He'd spent nearly 2 years in detention. His defense argues that privacy tools shouldn't be equated with money laundering, and developers shouldn't be criminally liable for how others use their open-source code. [6]
August 23, 2023: Roman Storm Arrested
U.S. authorities arrested co-developer Roman Storm in Washington State. Co-founder Roman Semenov remains at large. Charges: conspiracy to commit money laundering, conspiracy to commit sanctions violations, and operating an unlicensed money transmitting business. [7]
August 6, 2025: Storm's Mixed Verdict
After a 4-week trial and nearly a week of jury deliberation: [7]
- GUILTY: Conspiracy to operate an unlicensed money transmitting business (up to 5 years)
- DEADLOCKED: Conspiracy to commit money laundering (up to 20 years)
- DEADLOCKED: Conspiracy to commit sanctions violations (up to 20 years)
Storm remains free on bail. The defense plans to appeal. The government may retry the deadlocked counts. Storm received more than $2.5 million in donations for his legal defense. [7]
November 26, 2024: Sanctions Overturned
The Fifth Circuit Court of Appeals ruled unanimously that OFAC exceeded its statutory authority. The court held that immutable smart contracts don't qualify as "property" under sanctions law because they lack hallmarks of ownership, control, and exclusivity. On March 21, 2025, Treasury officially lifted the sanctions. [8]
But here's the catch: the criminal charges against developers remain pending despite the delisting.
Samourai Wallet: 5 Years in Prison
April 24, 2024: Arrests
Federal prosecutors charged Samourai Wallet founders Keonne Rodriguez (CEO) and William Lonergan Hill (CTO). Rodriguez was arrested in Pennsylvania; Hill was arrested in Portugal and extradited to the U.S. [2]
The charges: executing over $2 billion in unlawful transactions and facilitating more than $100 million in money laundering from illegal dark web markets including Silk Road and Hydra.
November 2025: Sentencing
Both defendants pleaded guilty in July 2025. Rodriguez received 5 years; Hill received 4 years. Both got 3 years supervised release and $250,000 fines. They agreed to forfeit $237,832,360.55 representing total traceable criminal proceeds. [2]
What Samourai Wallet Did
Samourai used CoinJoin technology—a technique where multiple users combine transactions into a single transaction with many inputs and outputs, obscuring which coins went where. Two key features: [2]
- Whirlpool: Mixed Bitcoin transactions across user groups
- Ricochet: Added extra "hops" to make funds harder to trace
These tools aren't inherently illegal. A later-revealed DOJ memorandum acknowledged that the legality of crypto-mixing services is "not fully settled" under current regulatory frameworks.
The Ripple Effects
Privacy Tools Shutting Down
After the Samourai arrests:
- Wasabi Wallet: Banned U.S. users in April 2024, shut down CoinJoin service June 1, 2024 [9]
- Phoenix Wallet: Closed to American users
- Sparrow Wallet: Removed Whirlpool integration
- Trezor: Discontinued CoinJoin feature
Wasabi's CEO cited the need for "legal clarity." The message to developers: even legitimate privacy tools can land you in prison.
Bitcoin Fog: 12.5 Years
Roman Sterlingov operated Bitcoin Fog from 2011-2021—the longest-running darknet cryptocurrency mixer. It processed transactions involving over 1.2 million bitcoin (~$400 million at the time). [10]
In November 2024, Sterlingov was sentenced to 12 years and 6 months in prison. Prosecutors sought 30 years. Financial penalties: forfeiture of $395.5 million plus approximately 1,345 bitcoin (valued at over $103 million at sentencing). [10]
Blender.io and Sinbad.io
In January 2025, a federal grand jury indicted three Russian nationals for operating Blender.io (2018-2022) and Sinbad.io (its successor). Both mixers were used by North Korean hackers to launder funds from major thefts: $620 million from Axie Infinity, $100 million from Horizon Bridge, $100 million from Atomic Wallet. [11]
OFAC had sanctioned Blender.io in May 2022 for North Korean money laundering.
The North Korea Problem
The Scale
- 2024: North Korea-linked hackers stole $1.34 billion—61% of all crypto stolen globally that year [12]
- 2021-2025: Lazarus Group stole over $5 billion total
- Since 2017: North Korea-linked attackers have stolen over $6 billion
The Bybit Heist: February 2025
On February 21, 2025, North Korean hackers executed the largest cryptocurrency heist in history: $1.5 billion in Ethereum tokens from Bybit. The FBI officially linked it to North Korea on February 26. $160 million was laundered through mixers and DeFi platforms in the first 48 hours. [13]
This single heist surpassed Lazarus Group's entire 2024 total.
The Justification
North Korea uses stolen crypto to fund sanctioned nuclear and missile programs. This is the primary justification for the crackdown on mixers: tools that enable privacy also enable state-sponsored theft and money laundering at massive scale.
How Mixers Work
The Basic Concept
Bitcoin mixers receive crypto from users, pool it together, then send equivalent amounts to recipient addresses. The goal: break the transaction trail so outside observers can't connect sender and receiver. [4]
CoinJoin
The most popular decentralized approach. Multiple users combine their transactions into a single transaction with many inputs and outputs. Example: [4]
- 4 users input 2, 4, 6, 8 BTC (total 20 BTC)
- CoinJoin creates 20 separate outputs, each worth 1 BTC
- Each user receives their original amount in 1 BTC chunks
- Since every output has the same value, you can't determine which addresses belong to which users
Privacy-Enhancing Techniques
- Ring signatures: Anonymize sources by grouping transactions together
- Zero-knowledge proofs: Confirm funds mixed without revealing details
- Tor integration: Route activity through Tor to hide IP addresses
The Surveillance Paradox
Here's the irony: blockchain technology was supposed to enable financial privacy. Instead, it created the most transparent payment system in history. [14]
Every Bitcoin transaction is permanently recorded on a public ledger anyone can examine. While wallet addresses don't carry names, blockchain analytics companies like Chainalysis can trace fund flows with remarkable precision.
Chainalysis has helped seize over $12.6 billion in cryptocurrency. They track transactions across 27+ blockchains and 40 million+ assets. Their Reactor product is used by law enforcement, intelligence agencies, and financial institutions worldwide. [15]
Mixers exist because blockchain isn't private by default. And governments are systematically eliminating the tools that restore that privacy.
The Legal Landscape
FinCEN's Proposed "Mixer Rule"
In October 2023, FinCEN released a proposed rule designating international cryptocurrency mixing as a "Primary Money Laundering Concern." The rule would impose special measures on U.S. financial institutions. [16]
Critics warn the rule's broad definition could criminalize legitimate privacy activities. It encompasses splitting transfers, rotating wallets, swapping coins, and delaying transactions—all common practices. As of September 2025, the final version could be published "within weeks." [16]
EU MiCA and Travel Rule
The EU's Markets in Crypto-Assets Regulation (MiCA) took full effect December 30, 2024. The Travel Rule requires crypto service providers to collect and transmit identifying information for both sender and recipient of any crypto transaction—regardless of amount. [17]
No minimum threshold. No anonymous accounts. Every transaction traceable. Exchanges must delist privacy coins by mid-2027.
The Privacy Coin Exodus
- 73 exchanges globally have delisted privacy coins by early 2025 (up from 51 in 2023)
- Kraken: Delisted Monero in 2024
- Binance: Signaling potential Zcash removal for EU compliance
- Australia and South Korea: Banned exchanges from offering privacy coins
- Japan: Banned privacy coins entirely
Market Resilience
Despite the crackdown, late 2025 saw a "privacy narrative" resurgence: [18]
- Zcash (ZEC): +700% since September 2025
- Monero (XMR): +120% in 2025
- Dash (DASH): +300% in 2025
Over 61% of privacy coin users cite financial privacy as their primary reason for holding. The demand for privacy persists even as the legal walls close in.
The Core Question
Should developers be criminally liable for how others use their open-source code?
Alexey Pertsev wrote software. He didn't launder money. He built a tool that could be used for privacy—or for crime. The same logic could criminalize the creators of encryption tools, VPNs, or any technology with dual use.
The DOJ's own memorandum acknowledges the legality of crypto-mixing services is "not fully settled." Yet developers are serving years in prison while that question remains unanswered.
What You Can Do
Understand the Risks
- Using mixers: May not be illegal where you are, but transactions can be flagged
- Privacy coins: Increasingly delisted from exchanges, harder to convert to fiat
- Self-custody: Holding your own keys reduces counterparty risk but doesn't provide privacy
Support Privacy Advocacy
- Electronic Frontier Foundation: Fighting for digital rights
- Coin Center: Cryptocurrency policy advocacy
- Defense funds: Roman Storm's legal defense accepts donations
Stay Informed
Regulations are changing rapidly. What's legal today may not be tomorrow. The FinCEN mixer rule, EU regulations, and ongoing court cases will reshape the landscape.
The Bottom Line
Developers are going to prison for writing privacy software. Tornado Cash's sanctions were overturned, but criminal charges remain. North Korean hackers stole $1.34 billion in 2024. And the infrastructure for crypto privacy is being systematically dismantled.
The government's argument: mixers enable money laundering and sanctions evasion at massive scale. The counter-argument: privacy is a fundamental right, and developers shouldn't be liable for how others use open-source code.
The reality:
- Privacy tools are being criminalized regardless of their legitimate uses
- Blockchain is not private by default—surveillance is the baseline
- Developers face prison for building tools that restore privacy
- The legal framework is unsettled even as sentences are handed down
Financial privacy once existed by default with cash. In the digital age, you have to fight for it—and that fight is increasingly being criminalized.
References
- CoinDesk - Tornado Cash Developer Alexey Pertsev Found Guilty, Sentenced to 64 Months (May 2024)
- DOJ - Founders Of Samourai Wallet Sentenced To Five And Four Years In Prison (November 2025)
- Chainalysis - 2025 Crypto Crime Mid-Year Update
- Coinbase - What is a Bitcoin mixer?
- U.S. Treasury - Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash (August 2022)
- CoinDesk - Tornado Cash Developer Alexey Pertsev Released From Jail to Prepare Appeal (February 2025)
- CoinDesk - Roman Storm Guilty in Partial Verdict (August 2025)
- Venable - Treasury Lifts Sanctions on Tornado Cash (April 2025)
- CoinDesk - Wasabi Wallet-Developer Blocks U.S. Citizens After Samourai Arrests (April 2024)
- DOJ - Bitcoin Fog Operator Sentenced for Money Laundering Conspiracy (November 2024)
- The Record - Russian nationals arrested, accused of running crypto mixers Blender and Sinbad (January 2025)
- Chainalysis - 2025 Crypto Crime Report
- TRM Labs - The Bybit Hack: Following North Korea's Largest Exploit (February 2025)
- Fordham Law - The Crypto Wars and the Future of Financial Privacy
- Chainalysis - The Blockchain Data Platform
- CU Today - FinCEN Nears Final Rule Targeting Crypto 'Mixers'
- InnReg - Markets in Crypto-Assets Regulation (MiCA) Updated Guide (2025)
- Flashift - Are Privacy Coins Still Viable Under Stricter Regulations In 2025?