The recent mixed verdict in the US criminal trial of Roman Storm, co-founder of the crypto mixer Tornado Cash, marks a pivotal moment for the global crypto industry and offers key lessons for developers in the UK.
The Southern District of New York jury convicted Storm of conspiracy to operate an unlicensed money transmitting business, while remaining deadlocked on more serious charges of money laundering and sanctions violations, raising, but not answering, critical questions about developer liability and regulatory expectations in decentralised finance. Robert Amaee and Freya Piper explore further in our latest article.
Tornado Cash
Tornado Cash launched in 2019 and was built on the Ethereum blockchain. The aim was to enable users to deposit digital assets and withdraw them from different addresses, thereby preventing the owner from being traced. Tornado operated via smart contracts and did not take ownership of the funds. Instead, decisions as to how it would be operated were made through a decentralised autonomous organisation, in which people voted using special tokens.
The case
In 2022, the US Treasury’s Office of Foreign Assets Control sanctioned Tornado Cash in relation to the suspected laundering of over $7 billion in cryptocurrency—$600 million tied to the Lazarus Group, a North Korean hacking group, had been transferred via this decentralised system. It was later held that Tornado Cash had been incorrectly sanctioned, but questions were raised as to the criminal liability of Tornado’s developers.
The US Department of Justice charged Mr Storm and his co-defendants with three counts of conspiracy to commit money laundering, conspiracy to operate an unlicensed money transmitting business, and conspiracy to violate the International Emergency Economic Powers Act. The prosecution argued that Mr Storm had promoted Tornado knowing it was being used by illicit actors, failed to install safeguards and effectively aided criminal activity, while the defence argued that Tornado was a neutral tool and criminal intent could not be established.
Key legal takeaway for UK practitioners
The Storm case reflects a growing appetite by enforcement authorities to target creators of privacy-enhancing crypto technology on the thesis that software architects may owe compliance duties for use that is made of their code. Notably, Tornado Cash itself never held funds; it merely provided a decentralised codebase enabling anonymity. This ‘operational control’ question is central: can developers be held liable where they lack day-to-day management yet foresee illicit misuse of their code?
UK regulators are closely watching these developments at a time when the FCA and lawmakers implement expanded AML frameworks for crypto assets following reforms in 2023 and ongoing policy consultations into 2026.
A call for proactive compliance
Roman Storm’s trial is a cautionary tale that sharpens the focus on crypto developer accountability. It highlights the need for clear legal frameworks and compliance strategies in the UK’s evolving digital asset landscape.
For UK crypto developers, the message is clear: early and continuous legal engagement is essential. As a start, developers should assess whether their platforms meet the threshold of a money transmitting business, and more strategically, must ensure they implement compliance features that mitigate misuse risks without undermining decentralisation principles.
The Storm case urges the sector to embrace responsible innovation—balancing legitimate privacy with financial crime prevention—while preparing for intensified enforcement internationally. As the FCA’s consultation on digital asset rules advances, now is the time for crypto innovators to focus on compliance strategies and transparent governance structures, and engage in industry dialogue.
How can we help?
For guidance on navigating these complex issues, our Disputes and Regulatory teams remain available to provide expert advice and support.
