Developer at Treasury-sanctioned Tornado Cash worked for company linked to Russian security agency
Alexey Pertsev, developer of cryptocurrency mixer Tornado Cash, was formerly employed by a company linked to Russian security agency FSB, according to a report from intelligence firm Kharon.
The Treasury Department sanctioned Tornado Cash on Aug. 8, alleging that hacking groups including North Korea’s Lazarus Group have used the service to launder billions of dollars. The Dutch government arrested Pertsev, a Netherlands resident, two days later on suspicion of “involvement in concealing criminal financial flows and facilitating money laundering.”
The action sparked outcry from the global crypto community, concerned that the U.S. government was targeting an open-source software program. The new revelations on Pertsev’s background point to a murkier picture, with national security experts suggesting that the public doesn’t have complete information about the sanctions.
“This opens up a lot of credibility issues for the developers of Tornado Cash,” said Alex Zerden, an adjunct senior fellow at the Center for a New American Security. “This is pretty profound information that informs why the U.S. government and Dutch authorities have taken certain actions.”
Tornado Cash runs on software developed by a Delaware-registered corporation called PepperSec, with the Kharon report identifying Pertsev as that company’s founder and CEO.
According to the firm’s findings, in 2017, Pertsev worked as an information security specialist and developer of smart contracts for Digital Security OOO, a Russian entity that the Treasury Department designated in 2018 as providing material and technological support to the FSB as far back as 2015.
“You had this guy working for [Digital Security OOO] and doing pen testing himself, and then Treasury designated the company for helping the FSB’s hacking capabilities,” said Nick Grothaus, vice president of research at Kharon.
Security and compliance experts criticized the Treasury Department’s unprecedented move to sanction the open-source Tornado Cash in August, citing a lack of guidance for how it would impact regular people using the privacy-focused service, as well as implications for governmental action against open-source software, rather than the traditional targets of persons and entities.
Earlier this week, Rep. Tom Emmer (R-Minn.) sent an open letter to Treasury Secretary Janet Yellen, writing that the sanctions “impact not only our national security, but the right to privacy of every American citizen.”
Major crypto companies have taken different approaches to the measure, with Circle blacklisting the sanctioned addresses and Tether defying the Treasury Department, claiming that freezing addresses could be a “highly disruptive and reckless move.”
Pertsev’s arrest exacerbated privacy concerns, with protesters gathering in Amsterdam to demand his release and chanting “open source [code] is not a crime.”
Zerden said the new information from Kharon is in stark contrast to the immediate response from the crypto community to assume ill intentions by government authorities, arguing that officials are often not able to provide information to the public because of classification requirements.
“There are a lot of reasons and justifications and deference that OFAC [the Treasury’s Office of Foreign Assets Control] has to designate entities,” he added.
While the findings do not prove any underlying motive from the Treasury Department for targeting Tornado Cash, Grothaus said that it is still important to look at connections between different sanctioned persons and entities.
“There seems to be a more complex and complicated picture that takes more time to unravel,” Zerden told Fortune.