Non-Lawyers Summary

Crypto is not a legal gray zone — it is a legal minefield with live tripwires. The U.S. government has spent a decade building enforcement infrastructure around blockchain: FinCEN runs the money transmission layer, OFAC has sanctioned specific wallet addresses and smart contracts, the SEC is fighting in court over which tokens are securities, and DOJ has seized billions in BTC using private key recovery techniques. For security researchers, this matters because: your bug bounty might be paid in crypto, your OSINT tools analyze blockchain, you might discover an exploit in a DeFi protocol, or you might be asked to do a smart contract audit. Every one of those scenarios has specific legal exposure that has nothing to do with the CFAA. This module maps the real law to the real scenarios you will encounter.

Overview

In 2009, someone — we still do not know who — released a protocol that let strangers exchange value over the internet without a bank standing between them. For a few years, the government watched without fully understanding what it was watching.

Then came Silk Road. Then came Mt. Gox. Then came $6 billion laundered through a Costa Rica-based digital currency exchange, and the DOJ unsealed an indictment that would send its founder to prison for 20 years.

The ambiguity was over. By 2026, the picture is fragmented but legible: FinCEN regulates the money transmission layer under the Bank Secrecy Act; OFAC can sanction wallet addresses and smart contracts under IEEPA/TWEA; the SEC claims jurisdiction over most tokens as securities; DOJ prosecutes unlicensed money transmission and money laundering under statutes that predate crypto by decades.

For security researchers and hackers, the critical insight is this: you can violate multiple regulatory frameworks simultaneously by doing things that feel like pure technical work — running a mixing service, auditing and then holding proceeds from a DeFi exploit, analyzing sanctioned wallet addresses for OSINT purposes, or receiving payment in privacy coins. The code is neutral. The law is not.

1. Money Transmission Law

The Statutory Foundation

31 U.S.C. § 5330 requires anyone who "establishes, owns, or operates" a money services business (MSB) to register with FinCEN. The Bank Secrecy Act (BSA), codified across 31 U.S.C. §§ 5311–5336, imposes AML (anti-money laundering) and KYC (know-your-customer) obligations on MSBs. Non-compliance is a federal crime under 18 U.S.C. § 1960: operating an unlicensed money transmitting business carries up to 5 years' imprisonment per count.

The FinCEN 2013 Guidance: The First Framework

FinCEN's March 2013 guidance document "Application of FinCEN's Regulations to Persons Administering, Exchanging, or Using Virtual Currencies" was the first federal pronouncement on how the BSA applies to crypto. The key three-way distinction:

RoleFinCEN ClassificationRegistration Required?
User — buys virtual currency to pay for goods/servicesNot an MSBNo
Exchanger — converts virtual currency for real currency, other virtual currency, or fundsMoney transmitter → MSBYes
Administrator — issues and redeems a centralized virtual currencyMoney transmitter → MSBYes

A miner who mines coins for personal use is a user. A miner who sells those coins to third parties for profit is an exchanger. A Bitcoin mixing service that accepts BTC and returns (different) BTC minus a fee is a money transmitter.

The FinCEN 2019 Framework: Closing the Gaps

FinCEN's May 2019 guidance "Application of FinCEN's Regulations to Certain Business Models Involving Convertible Virtual Currencies" extended the 2013 analysis to cover DeFi, smart contracts, CVC kiosks, DEXs, and anonymizing services. Key determinations:

  • Peer-to-peer exchangers who regularly buy and sell CVC for profit are money transmitters, even with no formal business entity.
  • DEX operators who maintain control over liquidity or order books and take fees may be money transmitters.
  • Anonymizing software providers (mixers, tumblers, CoinJoin coordinators) are money transmitters when they accept and transmit funds.
  • The "integral part of the business" exception: a business that transmits funds as an integral part of another non-MSB activity (e.g., a payroll processor) may use that exception, but it is narrow and fact-specific.

AML/KYC Obligations for Registered MSBs

Once classified as an MSB, a business must:

  • Register with FinCEN within 180 days of establishment
  • Implement a written AML program with four mandatory pillars: (1) internal controls, (2) a designated compliance officer, (3) training, (4) independent testing
  • File Currency Transaction Reports (CTRs) for transactions over $10,000
  • File Suspicious Activity Reports (SARs) for transactions over $2,000 that involve suspected criminal activity
  • Maintain records of transactions over $3,000 including identity information (the "Travel Rule")
  • Comply with the Bank Secrecy Act's Travel Rule requiring transmission of originator/beneficiary information for wire transfers — FinCEN's proposed "ANPRM for Crypto" would extend this to virtual currency transfers below $3,000

Who Is a Money Transmitter vs. Mere User — The Hard Cases

The distinction matters enormously for criminal exposure. Prosecutors have charged § 1960 in factual scenarios that surprised defendants:

  • Running a Bitcoin exchange out of your bedroom — Shamir Bhatt, convicted in S.D.N.Y., operated an informal exchange through LocalBitcoins and was charged as an unlicensed money transmitter.
  • Operating a mixer — Tornado Cash, Samourai Wallet, and Bitcoin Fog were all prosecuted on this theory.
  • Smart contract developers — Roman Storm (Tornado Cash) was charged as a money transmitter even though he argued his code was non-custodial software. The government's theory: he retained effective control.

2. OFAC Sanctions and Crypto

The Regulatory Framework

The Office of Foreign Assets Control (OFAC) administers U.S. economic sanctions under the International Emergency Economic Powers Act (50 U.S.C. § 1705) and the Trading with the Enemy Act. OFAC maintains the Specially Designated Nationals (SDN) list. Any "U.S. person" — citizen, permanent resident, entity organized under U.S. law, or anyone physically in the U.S. — who engages in a transaction with an SDN is in violation, regardless of knowledge. This is strict liability.

Tornado Cash — The Landmark Smart Contract Designation

On August 8, 2022, OFAC took a step no regulator had ever taken before.

Without warning, OFAC designated Tornado Cash — an Ethereum-based cryptocurrency mixer — adding specific smart contract addresses to the SDN list. The code had no owner. No off switch. No CEO to serve a subpoena on. It ran on a blockchain, autonomously and permanently, processing transactions for anyone who interacted with it.

OFAC designated it anyway.

The legal controversy: OFAC's theory was that Tornado Cash was "property" of the sanctioned entity for purposes of blocking. Critics argued that sanctioning immutable software is equivalent to sanctioning the English language or the TCP/IP protocol — the code cannot be ordered to stop.

Van Loon v. Department of Treasury (5th Cir. 2024): A federal appeals court partially vindicated this criticism. The Fifth Circuit held that OFAC exceeded its statutory authority by designating the immutable smart contracts themselves. The Court ruled that immutable smart contracts that are not controlled by any person do not constitute "property" of a sanctionable person within the meaning of IEEPA because they cannot be "owned" — they run autonomously and perpetually on Ethereum regardless of the actions of any human. The mutable contracts (controlled by the DAO/multisig) remained validly sanctioned. The criminal prosecution of the founders (Roman Storm, Roman Semenov) was not affected by Van Loon — the charge was money laundering and unlicensed money transmission, not sanction violation.

Practical effect post-Van Loon: Simply interacting with Tornado Cash's immutable smart contracts is no longer a per se OFAC violation for U.S. persons. However, using Tornado Cash to launder proceeds of crime, or operating a service that routes funds through it, remains criminally exposed under other statutes.

DPRK/Lazarus Group Designations

OFAC has designated specific blockchain addresses attributed to the Lazarus Group (North Korean state hackers) and affiliated actors. As of 2024, OFAC has published hundreds of ETH, BTC, and USDT addresses linked to DPRK. Receiving funds from these addresses — even unknowingly — triggers technical OFAC liability.

For security researchers, the risk is this: if you discover a DeFi exploit, report it responsibly, and the protocol later determines DPRK used the same vulnerability to steal funds, any crypto in wallets linked to that investigation could be flagged as contaminated by OFAC-designated flows.

Strict Liability and Penalties

OFAC sanctions are civil strict liability. You do not need to know you were transacting with a sanctioned party. Civil penalties can reach the greater of $370,114 per transaction or twice the value of the transaction. Criminal penalties under IEEPA go up to $1,000,000 per violation and 20 years' imprisonment for willful violations.

The OFAC safe harbor: OFAC has discretion to impose no penalty if a person had an adequate compliance program in place, made voluntary disclosure, and the transaction was non-egregious. This is not a statutory safe harbor — it is prosecutorial discretion codified in OFAC's Enforcement Guidelines (31 C.F.R. Part 501, Appendix A).

Blockchain Analytics as Enforcement Infrastructure

OFAC works with blockchain analytics firms (Chainalysis, Elliptic, TRM Labs) to trace illicit flows. When OFAC designates an address, it typically has already traced the funds through multiple hops. The analytics infrastructure enables OFAC to add downstream addresses — wallets that received funds from the designated address — to SDN additions in subsequent rounds. This creates a "contamination radius" around sanctioned wallets.

3. Securities Law and Crypto

The Howey Test Applied to Tokens

The SEC's jurisdiction over crypto assets turns on the Howey test from SEC v. W.J. Howey Co., 328 U.S. 293 (1946). A transaction is a security if it is: (1) an investment of money, (2) in a common enterprise, (3) with an expectation of profits, (4) derived from the efforts of others. Applied to tokens:

  • BTC and ETH — the SEC has conceded that BTC is not a security. Former SEC Chair Gary Gensler implied ETH is not a security following the Merge transition to proof-of-stake (though no formal no-action letter exists).
  • Most altcoins, DeFi governance tokens, and ICO tokens — the SEC has treated these as securities, filing enforcement actions against issuers.
  • NFTs with profit-expectation framing — the SEC has begun examining NFT projects whose marketing emphasized investment returns.

SEC v. Ripple Labs (S.D.N.Y. 2023) — The Nuanced Ruling

SEC v. Ripple Labs, Inc., No. 20-cv-10832 (S.D.N.Y. 2023) produced the most doctrinally significant crypto securities ruling to date. Judge Analisa Torres issued a partial summary judgment with three holdings:

  1. Institutional sales of XRP were unregistered securities transactions. Ripple sold XRP directly to hedge funds and sophisticated investors with explicit promises of return. This satisfied all four Howey prongs. Ripple was liable.
  2. Programmatic sales through exchanges were NOT securities transactions. When XRP was sold on secondary markets through blind bid-ask transactions, buyers did not know they were purchasing from Ripple specifically and had no basis to expect profits from Ripple's efforts. The "efforts of others" prong was not satisfied.
  3. "Other distributions" — developer grants, employee compensation in XRP — were also not securities transactions because recipients gave no money.

Why this matters for security researchers: The Ripple ruling creates a "programmatic sales" carve-out that exchange-traded tokens may exploit. If you receive a bug bounty in a token that trades on secondary markets, you likely received it in a context analogous to a programmatic sale — not an institutional direct sale with profit promises.

SEC v. Coinbase and SEC v. Binance (2023)

In June 2023, the SEC filed actions against both Coinbase (Case No. 23-cv-4738, S.D.N.Y.) and Binance (Case No. 23-cv-01599, D.D.C.), alleging the exchanges operated as unregistered securities exchanges, brokers, and clearing agencies. The SEC listed 19 tokens it deemed securities, including SOL, ADA, MATIC, SAND, AXS, CHZ, and others.

These cases are significant for researchers because: if those tokens are securities, their exchange, holding, and transfer are governed by securities laws, not just BSA/AML rules. Bug bounty payments in these tokens could theoretically constitute unregistered securities transactions — though no regulator has pursued this theory against individual researchers.

Staking as Securities

The SEC under Gensler argued that proof-of-stake staking-as-a-service — where a third party stakes your assets and returns yield — constitutes an investment contract: a security. The SEC settled with Kraken in February 2023 ($30 million) over its staking program. Coinbase's staking program is contested in SEC v. Coinbase. Under the 2025 SEC leadership shift following the change in administration, the SEC significantly retreated from this position, issuing staff guidance that proof-of-stake validation itself is not a securities transaction.

4. DOJ Crypto Enforcement: 18 U.S.C. § 1960

The Statute

18 U.S.C. § 1960 criminalizes operating a money transmitting business that: (a) is operated without an appropriate state license where required, (b) fails to comply with the BSA's registration requirements, or (c) involves the transmission of funds known to have been derived from a criminal offense. Maximum sentence: 5 years per count.

The Landmark Prosecutions

Liberty Reserve (2013): Just before dawn on May 28, 2013, the U.S. Attorney for the Southern District of New York unsealed an indictment against Liberty Reserve, a Costa Rica-based digital currency company that had quietly processed $6 billion through 55 million transactions. The government alleged it was designed from inception to be the "bank of choice" for cybercriminals. The founder, Arthur Budovsky, pled guilty and was sentenced to 20 years. This was the first major global § 1960 prosecution of a virtual currency MSB.

BTC-e and Alexander Vinnik (2017): DOJ indicted BTC-e, a Russian-operated exchange that processed over $4 billion in transactions, for money laundering and operating an unlicensed money transmitting business. Alexander Vinnik, alleged to be the exchange's operator, was arrested in Greece and later extradited to the United States. The indictment alleged BTC-e was the primary laundering vehicle for proceeds of the Mt. Gox hack and multiple ransomware groups. Vinnik was convicted in France (5 years), Russia (9 years after extradition), and subsequently faced U.S. prosecution.

Tornado Cash — Roman Storm and Roman Semenov (2023): DOJ indicted the two founders of Tornado Cash on charges of money laundering conspiracy, operating an unlicensed money transmitting business, and sanctions violations. The government's theory: although the smart contracts were non-custodial, Storm and Semenov controlled the relay network that submitted transactions, operated the Tornado Cash DAO with a controlling vote structure, and received fees. Roman Semenov remains at large (Russia). Roman Storm went to trial in S.D.N.Y. in 2024.

Samourai Wallet (2024): DOJ arrested Keonne Rodriguez and William Hill in April 2024, charging them with conspiracy to operate an unlicensed money transmitting business and money laundering conspiracy. Samourai Wallet was a non-custodial Bitcoin wallet with a CoinJoin implementation called Whirlpool. The indictment alleged they processed over $2 billion in unlawful transactions and over $100 million tied to dark web markets. This is the most aggressive application of § 1960 to non-custodial software — the government argued that facilitating CoinJoin transactions constitutes money transmission even without custody of the funds.

5. Crypto Forfeiture Mechanics

The Statutory Framework

Federal crypto forfeiture operates under three primary statutes:

  • 21 U.S.C. § 881 — civil forfeiture of drug trafficking proceeds and property facilitating drug offenses; used extensively against dark web markets
  • 18 U.S.C. § 981 — civil forfeiture of property involved in money laundering offenses and listed crimes; the general civil forfeiture vehicle
  • 18 U.S.C. § 982 — criminal forfeiture of property involved in money laundering, fraud, and specified crimes

Civil vs. criminal forfeiture:

  • Civil forfeiture (§ 981) is against the property itself, not the person. The government files an in rem action (e.g., United States v. 94,636 Bitcoin). The burden shifts to the claimant to establish innocent ownership. The government must establish probable cause to believe the property is subject to forfeiture.
  • Criminal forfeiture (§ 982) is part of a criminal judgment against a convicted defendant. The government must prove the property was involved in or proceeds of the convicted offense beyond a reasonable doubt at sentencing. It requires a conviction.

How DOJ Seizes Wallet Private Keys

Seizure of cryptocurrency requires obtaining the private key or seed phrase, or compelling a cooperating party — exchange, custodian — to transfer funds to a government-controlled wallet. The government has used several techniques:

  • Cooperation / warrant to custodian: For exchange-held crypto, a § 2703 warrant or civil subpoena to the exchange compels transfer.
  • Physical seizure of hardware wallets and storage media: Search warrants authorize seizure of Ledger/Trezor devices, paper wallets, seed phrase backups. The FBI has decryption specialists.
  • Cooperation from co-defendants: In the Bitfinex case, Lichtenstein had encrypted files containing the private keys.

Silk Road ($1B+ seizure): The U.S. seized 69,370 BTC from an Individual X who had hacked Silk Road in 2012 and stored the proceeds. The government identified the wallet, traced it to a specific storage file, and obtained a cooperating plea from the holder. DOJ then transferred the BTC to its own wallet.

Bitfinex ($3.6B seizure, 2022): Ilya Lichtenstein and Heather Morgan had laundered proceeds of the 2016 Bitfinex hack (119,754 BTC). When the government arrested them, it executed search warrants on cloud storage accounts containing encrypted files with private keys. The keys were cracked using password recovery on the encrypted backup files. This resulted in the largest financial seizure in DOJ history at that time.

Colonial Pipeline ($2.3M BTC recovery, 2021): The FBI recovered approximately 63.7 BTC — most of the $4.4M ransom DarkSide had demanded. The FBI obtained access to the private key for a specific BTC address DarkSide had used. DOJ has not publicly confirmed the exact method; analysts have speculated it involved seizing infrastructure in a data center the FBI could access, or cooperation from the exchange that hosted the wallet.

Substitute Asset Forfeiture

Under 21 U.S.C. § 853(p), if forfeitable property cannot be located, has been transferred, or is unavailable, the government can forfeit substitute assets of equivalent value from the defendant's other property. This means a defendant who has moved or spent crypto cannot escape forfeiture — the government takes other assets of equivalent value.

6. Ransomware Payment Liability

OFAC SDN List and Strict Liability for Ransom Payments

OFAC's September 2021 "Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments" is the controlling guidance. Key points:

  • Ransomware payments to SDN-designated actors violate IEEPA and TWEA regardless of whether the payer knew the recipient was sanctioned.
  • Designated ransomware groups include: Evil Corp (Dridex, WastedLocker), Lazarus Group/Hidden Cobra (DPRK), Sandworm (GRU/NotPetya), and associated individuals.
  • OFAC has designated specific cryptocurrency addresses associated with these groups.

Evil Corp's alias problem: Evil Corp (the Maksim Yakubets group) is sanctioned. When their ransomware variants rebranded — WastedLocker, Hades, Phoenix, PayloadBIN — OFAC issued guidance that payments to any of these variants potentially expose payers to civil sanctions liability. A company deciding whether to pay a ransomware demand must now run the ransomware indicators through blockchain analytics and OFAC's published lists before paying.

CNA Financial (2021): CNA Financial paid $40 million to ransomware operators later linked to Evil Corp. CNA reportedly completed an OFAC due diligence process before paying, but the association with a sanctioned group remained a significant legal exposure. No enforcement action was taken — illustrating OFAC's discretionary safe harbor in practice.

Mandatory SAR Filing

Under the BSA, financial institutions, MSBs, and certain other entities must file SARs when they have reason to suspect transactions involve proceeds of specified unlawful activity. A company paying a ransom:

  • Is not itself a financial institution required to file SARs
  • But may work with a bank or MSB (cryptocurrency exchange used to procure BTC for payment) that does have SAR obligations
  • If a company has an in-house treasury that processes wire transfers, state-chartered bank regulators may impose SAR obligations

CISA and FinCEN have issued joint advisories encouraging voluntary reporting of ransomware payments and indicators.

Cyber Insurance Coverage Gaps

Most cyber insurance policies contain some combination of:

  1. War exclusion: Traditional policies exclude losses from "acts of war." Carriers have argued that nation-state ransomware (NotPetya attributed to Russia's Sandworm) triggers the war exclusion. Merck & Co. v. ACE American Insurance Co. (N.J. Super. Ct. 2023) rejected this for a standard all-risk policy that did not specifically carve out nation-state cyber operations.
  2. OFAC/Sanctions exclusion: Newer policies explicitly exclude coverage for ransom payments that violate OFAC sanctions. This creates a perverse incentive: if you discover the ransomware group is sanctioned after you've decided to pay, your insurance will not cover the ransom, and paying creates OFAC liability.
  3. Consent-to-pay requirements: Many policies require insurer consent before a ransom is paid. Paying without consent voids coverage.
  4. Lloyd's Y5381 exclusion (2023): Lloyd's of London mandated that all its market participants include specific exclusions for cyber attacks that are "state-backed" (attributable to state actors). The attribution problem — proving a ransomware group is state-backed — is inherently difficult under a time-pressure incident response.

7. Chain Analysis as Evidence

The Fourth Amendment and Public Blockchains

United States v. Gratkowski, 964 F.3d 307 (5th Cir. 2020) is the leading case on Fourth Amendment protections for Bitcoin transaction data. The court held that Bitcoin users have no reasonable expectation of privacy in their publicly recorded blockchain transactions. The third-party doctrine (Smith v. Maryland, 442 U.S. 735 (1979)) applies: when you broadcast a transaction to the Bitcoin network, you voluntarily share that information with the entire world, and you have no legitimate privacy expectation in it.

The court specifically rejected the argument that Bitcoin's pseudonymous nature creates a privacy interest analogous to the content of communications. The blockchain is public; the fact that your identity is not immediately obvious is a practical obstacle to investigation, not a constitutional protection.

Implication for OSINT analysts and researchers: Tracing Bitcoin addresses for research, OSINT, or threat intelligence does not require a warrant, subpoena, or legal process. The information is public. However, combining blockchain data with other personal information to identify individuals triggers separate legal frameworks (SCA, state privacy laws, aggregation doctrine issues — see Module 02A).

Chainalysis Reactor and Daubert Admissibility

Blockchain analytics firms like Chainalysis (Reactor), Elliptic, and TRM Labs have become regular expert witnesses in federal crypto prosecutions. Their cluster analysis — using heuristics to group addresses controlled by the same entity — is the evidentiary spine of most crypto forfeiture and money laundering cases.

Defense challenges under Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993), have included:

  • The clustering heuristics are proprietary and cannot be independently replicated (black-box critique)
  • Error rates for address attribution are unknown
  • The methodology has not been peer-reviewed

Courts have generally admitted Chainalysis evidence, often finding the foundation requirements met through a combination of the analyst's training, case-specific corroboration, and the established track record of the methodology. United States v. Sterlingov (D.D.C. 2023 — Bitcoin Fog operator conviction) is the most exhaustive published analysis of Chainalysis Reactor admissibility challenges; the court admitted the evidence over multiple Daubert objections.

Pseudonymity Is Not Anonymity

The blockchain is a permanent public ledger. What happened next in every major crypto prosecution should be tattooed on the inside of every crypto user's eyelids: pseudonymity provides a transient privacy buffer, not anonymity.

The government uses:

  • Address clustering to identify common ownership
  • Exchange records (subpoenas to Coinbase, Kraken, Binance.US) to link addresses to verified identities
  • IP address logs from node broadcasts (when a transaction is first broadcast, it often originates from a specific IP)
  • Court-ordered disclosure from foreign exchanges under MLATs
  • Informants within criminal organizations who know the wallet owners

8. Privacy Coins and Mixers

Monero

Monero (XMR) uses ring signatures, stealth addresses, and Confidential Transactions to obscure sender, recipient, and amount on the blockchain. Unlike Bitcoin, there is no public transaction graph to analyze. This has made Monero the preferred currency of dark web markets (it replaced Bitcoin on many markets after 2017), ransomware groups, and privacy-conscious users.

Regulatory pressure: FinCEN has not specifically designated Monero, but the FATF (Financial Action Task Force) has classified privacy coins as "high risk," and most major regulated exchanges have delisted XMR (Coinbase, Kraken, Bittrex, Binance.US). Accepting or paying bounties in Monero from a regulated MSB is operationally difficult.

IRS bounty for Monero tracing: The IRS Criminal Investigation Division offered $625,000 contracts in 2020 to firms that could crack Monero's privacy. Chainalysis and Integra FEC won contracts. The extent to which these tools work is not publicly confirmed. The government's practical position: Monero is harder to trace, but not definitively untraceable.

Legal risk of Monero use: Using Monero is not per se illegal. Paying taxes on Monero proceeds is required (IRS treats all virtual currency as property). Using Monero to conceal criminal proceeds is money laundering. The challenge is proving intent — the government must show the mixing/concealment was designed to hide criminal proceeds, not just for privacy.

Tornado Cash — Criminal vs. Civil Exposure

Post-Van Loon (5th Cir. 2024), the landscape:

Civil OFAC exposure (immutable contracts): The 5th Circuit held OFAC cannot sanction immutable Tornado Cash smart contracts. U.S. persons interacting with those specific contracts are not in technical OFAC violation in the 5th Circuit's jurisdiction. Outside the 5th Circuit, OFAC's designation technically remains in effect — the court's ruling doesn't bind other circuits or OFAC itself nationally — creating jurisdictional uncertainty.

Criminal exposure: Roman Storm's prosecution (S.D.N.Y.) for money laundering conspiracy and § 1960 does not depend on OFAC's designation of the smart contracts. The criminal theory is that Storm operated a money transmitting service and knowingly laundered over $1 billion in criminal proceeds including DPRK Lazarus Group funds. A security researcher who audited Tornado Cash, published findings, and received payment in ETH routed through Tornado Cash does not have this criminal exposure — absent evidence of knowing involvement in the laundering operation.

CoinJoin and Wasabi/Samourai

CoinJoin is a technique where multiple users combine their Bitcoin transactions into a single transaction, breaking the input-output linkage that enables tracing. Wasabi Wallet and Samourai Wallet implemented CoinJoin.

Wasabi Wallet: Wasabi's developers, based in Europe, proactively shut down their centralized coordinator for U.S. users following the Samourai arrest. Wasabi's legal theory is that a non-custodial coordinator that processes no funds is distinguishable from a money transmitter.

Samourai Wallet (DOJ 2024): The Samourai indictment is the most aggressive theory: the government alleges that coordinating CoinJoin transactions — even without ever having custody of the funds — constitutes money transmission. If this theory holds up at trial, it would criminalize the act of publishing open-source privacy software that facilitates mixing. The case is a defining test of whether the government can stretch § 1960 to reach non-custodial software developers.

9. Security Researcher Angle

Bug Bounties in Crypto

Receiving a bug bounty in cryptocurrency is a taxable income event (IRS Notice 2014-21; Rev. Rul. 2023-14). The fair market value of the crypto at the time of receipt is ordinary income. Subsequent appreciation or depreciation is a capital gain/loss.

MSB classification risk: A researcher who regularly receives and immediately converts bug bounties in BTC is not a money transmitter — they are a user. A researcher who accepts bug bounties in crypto from multiple parties, pools them, converts for others, or runs a service facilitating those transactions crosses into exchanger territory. The line is between personal use and operating a conversion service.

OFAC risk from bounty payors: If the protocol that pays your bug bounty is later sanctioned, or if the payment traces through a sanctioned wallet in the chain, you have theoretical OFAC exposure. Practically, OFAC has not pursued individual bug bounty recipients — but the strict liability structure means the risk is not zero. The best mitigation: document receipt of the bounty, document that you conducted reasonable OFAC screening at the time, and disclose voluntary receipt to OFAC if you later learn of contamination.

Smart Contract Auditing Liability

Smart contract auditors are paid to review code for vulnerabilities. Common engagement structures: time-and-materials contract with a findings report, or a fixed-fee engagement with a published audit report. Key legal issues:

  • Contract scope: What warranties does the auditor make? Most audit firms disclaim that their report guarantees the absence of bugs. A protocol that is hacked despite passing an audit may sue the auditor for negligence. Courts have not uniformly established the duty of care for smart contract auditors.
  • Professional liability: Unlike attorneys and accountants, smart contract auditors have no licensed profession with established malpractice standards. Negligence suits depend on contract terms and general professional negligence doctrine.
  • Holding Exploit Proceeds: If an auditor discovers a critical vulnerability and the protocol is exploited before the fix is deployed — whether by the auditor or an unrelated party — the auditor's communication records and timing are relevant. An auditor who uses knowledge of an unpatched vulnerability to personally exploit the protocol has committed: (a) CFAA § 1030(a)(4) (unauthorized access with intent to defraud), (b) wire fraud (§ 1343), (c) potentially securities fraud if the protocol has a token, and (d) money laundering (§ 1956) on the proceeds.

White-Hat Returns — Poly Network and Euler Finance

In August 2021, an attacker moved quickly. In the span of hours, they exploited a cross-chain bridge on Poly Network and extracted approximately $611 million in crypto — the largest DeFi hack in history at that moment. Then they did something no one expected: they started returning it.

Poly Network (August 2021): The attacker communicated through blockchain messages, claiming they were acting as a "white hat" to expose the vulnerability. Over several days, the attacker returned the full amount. Poly Network offered the attacker a $500,000 bug bounty and a "Chief Security Advisor" role. DOJ did not charge anyone — the attacker's identity was reportedly not established with sufficient confidence.

Euler Finance (March 2023): A flash loan attacker stole approximately $197 million. After receiving blockchain messages from Euler's team and law enforcement contact, the attacker returned the bulk of the funds within two weeks. Euler paid a $1 million bounty. No charges were filed.

The legal reality of white-hat returns: Returning stolen funds does not automatically immunize a hacker from prosecution. The CFAA violation, wire fraud, and money laundering occurred at the moment of exploit and transmission. Whether DOJ charges depends on: whether the attacker's identity is known, the scale of harm, whether funds were fully returned, and prosecutorial discretion. Returning funds is a significant mitigating factor but is not a legal defense. If you are considering a "gray-hat" exploit-and-return, get counsel before you act — not after.

DOJ Reward Programs (Kleptocracy Asset Recovery Rewards)

DOJ's Kleptocracy Asset Recovery Rewards program offers rewards up to $5 million for information leading to forfeiture of assets linked to foreign corruption and money laundering. Separately, OFAC rewards under the Terrorist Finance Rewards Program can reach $5 million for information on SDN-linked financial activity. For researchers who identify blockchain flows linked to sanctioned entities, these programs provide a legal path to monetize that intelligence — though the information must be provided to law enforcement, not traded commercially.

10. Safe / Grey / Red Matrix

ScenarioStatusAnalysis
Receiving a bug bounty in BTC from a registered U.S. crypto exchangeSAFEUser-side receipt; no MSB obligations; taxable income at receipt FMV
Receiving a bug bounty in Monero (XMR) for a DeFi auditGREYXMR is legal to receive; high risk of exchange difficulty; tax reporting required; document everything
Exploiting a DeFi protocol vulnerability for personal gain and keeping proceedsREDCFAA § 1030(a)(4); wire fraud § 1343; money laundering § 1956; even partial return does not immunize
Running CoinJoin transactions through Samourai Wallet-style softwareREDPost-Samourai 2024 indictment: coordinating CoinJoin is alleged to be § 1960 unlicensed money transmission; criminal exposure until a court rules otherwise
Holding a Tornado Cash NFT (TORN governance token)GREYTORN itself is not specifically sanctioned; interacting with Tornado Cash's immutable contracts is contested post-Van Loon; retaining a governance token of a partially sanctioned entity carries reputational and potential regulatory risk
Analyzing blockchain transactions for OSINT research (Chainalysis Reactor, public data)SAFEPublic blockchain data is not Fourth Amendment protected (Gratkowski); no legal restriction on analysis of public data; OSINT publication is generally lawful
Being paid in Monero by an anonymous protocol for a smart contract auditGREYLegal to receive; near-impossible to conduct OFAC screening on anonymous payor; if payor turns out to be sanctioned entity, strict liability risk; document due diligence
Paying ransomware to a group later designated by OFACREDRetroactive OFAC liability even if payment predated designation; the risk is: if the group was already designated at time of payment, strict liability attaches regardless of knowledge
Running a personal Bitcoin node that relays transactions including Tornado Cash interactionsGREYNode operators generally have not been charged; mere relay is different from operation of a service; but DOJ's Samourai theory, if extended, could reach relayers who knowingly process mixing transactions
Selling zero-day exploits for payment in cryptocurrency to an unknown foreign buyerREDCFAA issues (sale of exploits for offensive use); EAR export control if buyer is foreign; potential OFAC issues if buyer is SDN; money laundering if proceeds of criminal activity; the crypto payment method does not add criminality but does not reduce it either

11. Key Statutes Quick Reference

StatuteWhat It CoversMaximum Penalty
31 U.S.C. § 5330MSB registration requirement (FinCEN)Civil penalties + criminal via § 1960
18 U.S.C. § 1960Operating unlicensed money transmitting business5 years per count
31 U.S.C. § 5318(g)SAR filing obligationCivil penalties; criminal for willful violations
50 U.S.C. § 1705 (IEEPA)OFAC sanctions enforcementCivil: up to $370,114/violation; Criminal: up to $1M/violation + 20 years
18 U.S.C. § 1956Money laundering (concealment and international)20 years per count
18 U.S.C. § 1957Money laundering (transactions in criminally derived property over $10K)10 years per count
21 U.S.C. § 881Civil drug forfeiture (property derived from/facilitative of drug trafficking)Civil — in rem
18 U.S.C. § 981Civil money laundering and fraud forfeitureCivil — in rem
18 U.S.C. § 982Criminal forfeiture (money laundering, fraud, specified crimes)Part of criminal judgment
21 U.S.C. § 853(p)Substitute asset forfeitureEquivalent value of unavailable forfeitable assets
15 U.S.C. § 78j (Securities Exchange Act § 10(b))Securities fraud; unregistered securities offeringsCriminal: 20 years; Civil: disgorgement + penalties
15 U.S.C. § 77a et seq. (Securities Act of 1933)Registration of securities offeringsCriminal: 5 years; Civil: injunction + disgorgement
18 U.S.C. § 1343Wire fraud (crypto transactions over interstate wires)20 years per count
18 U.S.C. § 1030(a)(4)CFAA — unauthorized access with intent to defraud (DeFi exploits)5 years per count
26 U.S.C. § 7201Tax evasion on crypto gains5 years per count

Key Cases Quick Reference

CaseCourt/YearHolding
SEC v. W.J. Howey Co., 328 U.S. 293 (1946)SCOTUS 1946Four-part test for investment contract (security)
United States v. Gratkowski, 964 F.3d 3075th Cir. 2020No 4th Amendment protection for public blockchain data
SEC v. Ripple Labs, Inc., No. 20-cv-10832S.D.N.Y. 2023Institutional XRP sales = securities; programmatic exchange sales ≠ securities
Van Loon v. Department of Treasury5th Cir. 2024OFAC cannot sanction immutable Tornado Cash smart contracts as "property"
United States v. Roman StormS.D.N.Y. 2023/24Tornado Cash founders charged: § 1960 + money laundering; criminal case unaffected by Van Loon
United States v. Keonne Rodriguez and William HillS.D.N.Y. 2024Samourai Wallet CoinJoin coordinator charged as unlicensed money transmitter
United States v. Ilya Lichtenstein and Heather MorganD.D.C. 2022/24Bitfinex hack proceeds laundering; $3.6B seizure; cooperation → reduced sentences
United States v. Ross Ulbricht, 31 F. Supp. 3d 540S.D.N.Y. 2014Silk Road operator; RICO + drug trafficking + money laundering; life sentence
United States v. Arthur BudovskyS.D.N.Y. 2013Liberty Reserve: first major § 1960 virtual currency conviction; 20 years
United States v. Alexander VinnikMulti-jurisdiction 2017+BTC-e operator; money laundering; extradition; multi-country proceedings
United States v. Roman SterlingovD.D.C. 2023Bitcoin Fog mixer operator convicted; Chainalysis Reactor evidence admitted over Daubert challenge
Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579SCOTUS 1993Expert evidence admissibility standard; applied to blockchain analytics
Merck & Co. v. ACE American Insurance Co.N.J. Super. Ct. 2023War exclusion does not cover NotPetya nation-state cyber attack in all-risk policy

Practitioner Takeaways for Security Researchers

  1. Getting paid in crypto is not legally risky on its own — but know the OFAC status of the paying protocol and keep records.
  2. Non-custodial does not mean non-criminal. Samourai and Tornado Cash prosecutions prove the government will charge you for operating infrastructure that facilitates money transmission even if you never touched the funds.
  3. Returning exploit proceeds does not erase the crime — it reduces it. Get a lawyer first, not after.
  4. The blockchain is a public permanent record. Pseudonymity is a speed bump, not a wall. If you do anything blockchain-adjacent that you would not want DOJ to reconstruct five years from now, assume they will.
  5. Receiving payment in privacy coins increases risk, not immunity. Monero is harder to trace but creates compliance obligations (tax, OFAC screening) that are nearly impossible to fulfill.
  6. The FinCEN user/exchanger line is fact-specific. Running an informal conversion service through your personal wallet — even for friends — can cross into § 1960 territory.
  7. OFAC strict liability is real. Before interacting with any large DeFi protocol, check OFAC's SDN list for designated addresses in that protocol's ecosystem.

Quiz

See: artifacts/quizzes/quiz-02h.md

Test your knowledge

Ready to check what stuck?

10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.

Take the quiz now →