Earlier in August 2025, following a four-week trial, the US District Court for the Southern District of New York (SDNY) found Tornado Cash co-founder and developer Roman Storm guilty of charges tied to a conspiracy to run an unlicensed money business.
The verdict comes a year after Storm was indicted for money laundering, conspiracy to operate an unlicensed money transmitter, and conspiracy to violate US sanctions. The ruling has set alarm bells ringing and drawn severe criticism from industry leaders across the world.
The Blockchain Association, a leading crypto industry lobby group, dubbed the verdict “a dangerous precedent for open-source software developers.” The ruling suggests that writing and publishing open-source code can attract criminal charges if that code is later misused by others, marking an alarming shift in legal responsibility.
Tornado Cash, a decentralised Ethereum-based crypto mixing tool, gained notoriety in recent years as criminals exploited its privacy features to launder funds by obscuring transaction trails. Regulators have long viewed Tornado as a safe haven for illicit activity. However, seeking anonymity in financial transactions is not inherently a crime and sometimes even a necessity. In some cases, such as in authoritarian states, citizens rely on privacy tools to protect sensitive financial information to avoid potential persecution.
In his defence, Storm argued that he merely helped write and deploy open-source smart contracts, over which he had no control once deployed. His legal team claimed his actions were protected under the United States First Amendment, emphasising that he did not knowingly assist or profit from illegal activity. The First Amendment protects fundamental rights, including freedom of religion, speech, press, assembly, and petition.
Historically, US courts have recognised code as a form of protected speech. This case undermines that principle by holding developers accountable for others’ misuse of their software.
Through this conviction, the court has blurred the line between creating a neutral tool and abetting criminal use, setting a precedent that could expose open-source developers to prosecution even when they had no role in a platform’s misuse. Critics warn that sanctioning Tornado Cash, coupled with Storm’s conviction, could stifle innovation and discourage the creation of privacy-forward projects in the United States, as developers may fear legal retribution.
Looking ahead, policymakers and law enforcement must tread carefully, and work towards distinguishing between the deployment of software and the source code itself. Courts should not tamper with a developer’s freedom to write and publish code without fear of prosecution.
