Overview
The 2023 indictment of Roman Storm and Roman Semenov, the developers of the digital asset mixing service Tornado Cash, created significant uncertainty in the digital asset industry with respect to which platforms are required to register with the Financial Crimes Enforcement Network (FinCEN) as a money transmitter and adhere to FinCEN's anti-money laundering (AML) regulations. Prior to the Storm and Semenov indictment, the industry widely understood that non-custodial platforms did not trigger FinCEN registration and compliance obligations. However, certain charges against Storm and Semenov, coupled with the indictment's description of Tornado Cash's operations, cast significant doubt on that understanding given the non-custodial nature of the Tornado Cash platform. Last week's letter from prosecutors in the case dropping charges under 18 U.S.C. § 1960(b)(1)(B), but retaining charges under § 1960(b)(1)(C), further clarifies the government’s post-Blanche memorandum enforcement priorities.
On May 15, 2025, industry received some further clarity as to DOJ's enforcement priorities – if not the content of the underlying law – when prosecutors in United States v. Storm filed a letter before the United States District Court for the Southern District of New York stating that they would not proceed to trial on the government's claim that Storm conspired to operate a money transmitting business while failing to register with FinCEN, in violation of 18 U.S.C. § 1960(b)(1)(B). The same letter confirmed, consistent with DOJ's recent pronouncements on digital asset enforcement, that they will proceed to trial on the claim that Storm conspired to violate 18 U.S.C. § 1960(b)(1)(C) by operating an unlicensed money transmitting business in a manner that "otherwise involves the transportation or transmission of funds that are known to the defendant to have been derived from a criminal offense or are intended to be used to promote or support unlawful activity….”
The DOJ's decision follows an April memorandum issued by Deputy Attorney General Todd Blanche instructing prosecutors to cease "regulation by prosecution" of the digital asset industry and revelations that FinCEN had told DOJ that a similar non-custodial privacy-enhancing service was unlikely to be a money transmitter under FinCEN's standard "control" analysis (though the question of "functional" or constructive control went unaddressed). See here for additional analysis of the Blanche memo.1
The relevant statute, 18 U.S.C. § 1960, contains three potential violations involving an "unlicensed money transmitting business": (1) failure to comply with a state money transmission licensing requirement (1960(b)(1)(A)), (2) failure to register with FinCEN as a money transmitter (1960(b)(1)(B)), and (3) conduct that otherwise involves the transportation or transmission of funds that are known to the defendant to have been derived from a criminal offense or are intended to be used to promote or support unlawful activity (1960(b)(1)(C)). Storm was initially charged with violations of (b)(1)(B) and (b)(1)(C).
In short, the recent declination of one charge in the Tornado Cash case reflects an immediate implementation of the Blanche Memo, which de-criminalizes "pure" lack of registration, while maintaining DOJ's view that even non-custodial platforms may face scrutiny or prosecution as money services businesses in instances involving allegations that those platforms facilitate the movement of criminal proceeds.
Dueling Money Transmitter Definitions?
What should the digital asset industry make of the fact that DOJ has dropped the FinCEN registration charge while simultaneously keeping a charge involving "unlicensed money transmission?" One interpretation is that the DOJ believes the term "money transmission" should be viewed differently under Section 1960 and under FinCEN rules and the Bank Secrecy Act (BSA), the statute authorizing FinCEN's regulations. In other words, a non-custodial platform may not be required to register with FinCEN and implement an AML program because it is not a money transmitter for purposes of the BSA, while simultaneously qualifying as a money transmitter for purposes of 18 U.S.C. § 1960.
In such an outcome, creators of non-custodial platforms would not be charged under Section 1960(b)(1)(B) or required to register with FinCEN and institute an AML program, but could be charged under (b)(1)(C) where they are involved in the transportation or transmission of funds that are known to them to have been derived from a criminal offense or intended to be used to promote or support unlawful activity.
For the creators of most DeFi protocols, who strongly oppose use of their protocols for illicit purposes, such an outcome may be a reasonable landing place. In Storm, the DOJ has alleged that the defendants were aware the protocol was being used for illicit purposes, but declined to take material action to prevent such transactions.
However, retention of the 1960(b)(1)(C) charge leaves unanswered the precise circumstances in which DeFi developers may face criminal exposure for third-party conduct on their platforms, and may be better read as a signal that developers continue to operate in an area that DOJ may target using money transmission laws (and laws targeting conspiracies to violate the same) in instances where prosecutors link crime proceeds to those protocols.
In Storm, the DOJ alleges the developers continued to have significant involvement in the protocol after launch, including operation of a front-end user interface designed to make it easier for users to interact with the protocol. Therefore, DOJ may view them as differently situated from developers with less ongoing involvement.
There is also the more fundamental question of whether the developer of a non-custodial protocol can appropriately be viewed as engaging in the "transportation" or "transmission" of funds as required for a violation of Section 1960(b)(1)(C). That question remains unsettled, although the judge has denied Storm's motion to dismiss on that basis. In short, Storm is now an example of the Blanche memo approach to prioritization, but DOJ’s pronouncement should not in itself be viewed as acceptance of the industry’s continued push for reconsideration of the underlying law.
The Path Ahead
DOJ has not yet dropped its 1960(b)(1)(B) charge against the creators of another non-custodial privacy-enhancing service in United States v. Rodriguez. Dropping the 1960(b)(1)(B) charge in Rodriguez would be consistent with the approach taken in Storm. Doing so would also provide the government an opportunity to elaborate on the legal basis for distinguishing between a money transmitter for the purposes of the BSA and under § 1960, and how it intends to apply 1960(b)(1)(C) to DeFi platforms more generally. Conversely, if the 1960(b)(1)(B) charges are not dropped in Rodriguez, the enforcement priority clarity provided by the Storm decision will be largely vitiated. Rodriguez therefore warrants close monitoring.
Developers of DeFi protocols should carefully assess the risk posed by the protocol, consider technical or other mitigation measures that can be built into the protocol, and develop a plan for how they will respond if they become aware the protocol is being used for illicit purposes, which may be based in significant part on their degree of ongoing involvement with and ability to alter the protocol or any related aspects (e.g., a front-end user interface) after launch.
***
For additional information on this and related policy developments, please contact a member of Steptoe's Blockchain and Cryptocurrency Practice or Anti-Money Laundering Practice.
1 In their letter to the Court, the Storm prosecutors note that “After review of this case, this Office and the Office of the Deputy Attorney General have determined that this prosecution is consistent with the letter and spirit of the April 7, 2025 Memorandum from the Deputy Attorney General.”
