>to obscure cash flows, something which is specifically illegal.
It's only illegal under 18 U.S. Code § 1956 to conduct transactions to obscure the source of "the proceeds of some form of unlawful activity." There's no law against obscuring the sources of cash flows in general. And on an otherwise completely public blockchain, there was a major use case for obfuscating flows for the sake of user privacy.
The phrase 'according to the treasury' and Ctrl-V are doing a lot of work there. The government says a lot of things. The other day the Secretary of State claimed Tornado Cash was a DPRK sponsored hacking group before deleting the tweet. Not everyone in authority has a real great understanding of the technology involved.
> We are talking about an entity that according to the treasury has laundered more than 7 Billion USD, assisted criminals and neglected complying to...(AML/CFT) obligations willingly and repeatedly.
The Tornado Cash mixer contracts have been immutable since May 2020. It's a dumb piece of software that can't be modified or upgraded. Its authors have no control over who uses it on the blockchain.
It's kind of a strange accusation to say that someone has 'willingly and repeatedly' neglected to comply with legal obligations by failing to do something that's technically impossible to accomplish. All the GitHub users did was write code, and simply writing code, while not executing it to do something illegal, seems like it would be pretty well protected by the First Amendment, since code is speech. Turning people's lives to shit over what a software tool they invented gets used for later, after it's completely out of their hands, is pretty wild.
You copied and pasted Brian E. Nelson's complaint:
> Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.
But what Nelson fails to mention is that a) everyone involved has failed to impose 'effective' controls because it's physically impossible for anyone to, and b) basic measures to block sanctioned entities were actually implemented by the operators of the Tornado Cash website (which just got added to the SDN list anyway). So the complaint is that the control measure in place isn't an 'effective' control measure against entities that don't use the website.
And not that the exact number matters, but the Treasury is alleging an obviously maximally exaggerated amount of money laundering. $7 billion is the total value of deposits into Tornado Cash over all time. For that to be $7 billion laundered, 100% of all deposits, ever, put into the mixer would have to have come from illegal sources, which is obviously false. Depositing legally earned money into a privacy smart contract isn't money laundering. A sizeable portion of deposits are illicit, but far from a majority.
>Since becoming active in August 2019, Tornado Cash has received over $7.6 billion worth of Ethereum, a sizable portion of which have come from illicit or high-risk sources.
Let's Encrypt is the lone, singular CA that actually already had a defense against this attack.
> In multiple vantage point verification, a CA performs domain control validation from many vantage points spread throughout the Internet instead of a single vantage point that can easily be affected by a BGP attack. As we measured in our 2021 USENIX Security paper, this is effective because many BGP attacks are localized to only a part of the Internet, so it becomes significantly less likely that an adversary will hijack all of a CAs diverse vantage points (compared to traditional domain control validation). We have worked with Let’s Encrypt, the world’s largest web PKI CA, to fully deploy multiple vantage point validation, and every certificate they sign is validated using this technology (over a billion since the deployment in Feb 2020). Cloudflare also has developed a deployment as well, which is available for other interested CAs.
> But multiple vantage point validation at just a single CA is still not enough. The Internet is only as strong as its weakest link. Currently, Let’s Encrypt is the only certificate authority using multiple vantage point validation and an adversary can, for many domains, pick which CA to use in an attack. To prevent this, we advocate for universal adoption through the CA/Browser Forum (the governing body for CAs).
That defense alone is still not perfect ("some BGP attacks can still fool all of a CA’s vantage points"), but that's the state of the art.
What would make sense is that in August 2017, Rohrabacher wanted to strike a deal for actual, solid evidence that would debunk the idea that the Russian government hacked the DNC (and with it, the idea that Trump worked with Russia), rather than just take Assange's word on who the source was and wasn't. Since his goal is to save Trump's reputation, Assange's word isn't enough.
Of course Trump likely wasn't aware that Rohrabacher was trying to make this kind of deal at the time. Rohrabacher only spoke to Chief of Staff John F. Kelly, who could have easily mentally filed their phone conversation directly in the trash, because the Trump administration was already busy secretly drafting up charges against Julian Assange at the time.
Maybe, but this doesn't appear to be an actual example of brazen Trump corruption. The journalist's summary of the lawyer's summary of the ex-congressman's statement appears to be inaccurate to the point of being fake news.
At no time did I talk to President Trump about Julian Assange. Likewise, I was not directed by Trump or anyone else connected with him to meet with Julian Assange. I was on my own fact finding mission at personal expense to find out information I thought was important to our country. I was shocked to find out that no other member of Congress had taken the time in their official or unofficial capacity to interview Julian Assange. At no time did I offer Julian Assange anything from the President because I had not spoken with the President about this issue at all.
It's true, the Mueller report is light on actual evidence and in places rather heavy on hedging language.
But it seems not an unreasonable guess in this case that there was possible use of "WikiLeaks's private communication system" based on a Twitter DM that was quoted in the Mueller report:
On September 15, 2016, @dcleaks wrote to @WikiLeaks, “hi there! I'm from DC Leaks. How could we discuss some submission-related issues? Am trying to reach out to you via your secured chat but getting no response. I’ve got something that might interest you. You won't be disappointed, I promise.”
The evidence is so comprehensive, and yet we can't see it.
Pages 36 to 51 of volume one of the Mueller report concern the hacking and dissemination of DNC emails. It has many detailed claims and conclusions, but what's notably missing:
The actual evidence on which Mueller bases his conclusion that both DCLeaks and Guccifer 2.0 are cutouts for the GRU. He doesn't even indirectly allude to specific evidence, let alone include it in the report. It just isn't there.
Funny thing: on page 46 it cites a 9/15/16 Twitter DM, @guccifer_2 to @dcleaks. If they're both false identities for the GRU, it seems odd for Russian state coworkers to be communicating with each other over cleartext DMs on Twitter, an American company. (Unless that's just to deviously throw us off their trail.)
>(Unless that's just to deviously throw us off their trail.)
This seems fairly probable.
But, yes, those are all valid points. The Mueller report does not contain the actual hard evidence of the attribution. It contains the full names of the people who registered the account and a lot of the things they did, but it doesn't state the proof of this. I suspect if we all had Top Secret clearances we would probably all be satisfied with the evidence they have, but that's blind speculation of course. A large percentage of it may be Dutch intelligence's findings, which have been widely reported on, but of course you still have to take Dutch intelligence's word for it that they really did compromise GRU computers and observe them.
There is some real evidence (especially released by private security firms) of GRU and SVR hacking the DNC et al., and Guccifer 2.0 is the only one who ever claimed to have the documents discovered during the hack. There's probably a lot of other circumstantial evidence, too. If I get around to writing a long post about all of this, I'll cover everything I can find.
In 2018, the DNC said “The FBI was given images of servers, forensic copies, as well as a host of other forensic information we collected from our systems.”
Of all the things that aren't evidence, an indictment is possibly among the most not-evidence things.
A judge famously said you could indict a ham sandwich. In practice, grand juries say whatever a prosecutor wants them to say.
And as Russian nationals, it's also unlikely they'll ever have to actually stand trial, which is when evidence would be required to enter the public record to convict them.
I also very much doubt the US government will want to go through a discovery phase with these people, so I'm not sure the DoJ really wants a trial to actually take place.
It's only illegal under 18 U.S. Code § 1956 to conduct transactions to obscure the source of "the proceeds of some form of unlawful activity." There's no law against obscuring the sources of cash flows in general. And on an otherwise completely public blockchain, there was a major use case for obfuscating flows for the sake of user privacy.