After a US appeals court forced the Treasury to delist Tornado Cash, the United States, European Union and United Kingdom are diverging sharply on whether sanctions and criminal law can reach privacy-tool code and the developers who write it — a split that reshapes compliance risk for every crypto-asset service provider with cross-border exposure in 2026.
The question of whether a government can sanction software, rather than a person or a company, moved from theory to live law in 2026. In Van Loon v. Department of the Treasury (No. 23-50669, 5th Cir., November 26, 2024), the United States Court of Appeals for the Fifth Circuit held that the immutable smart contracts behind the Tornado Cash mixer are not “property” capable of designation under the International Emergency Economic Powers Act (IEEPA). The Office of Foreign Assets Control (OFAC) delisted Tornado Cash on March 21, 2025. Yet the US Department of Justice (DOJ) is pressing a retrial of developer Roman Storm, the EU is preparing an outright ban on anonymity-enhancing assets, and the UK is holding to an entity-level model. This analysis maps where the three regimes now part company and what it means for compliance teams.
Key Facts:
• OFAC removed Tornado Cash from the Specially Designated Nationals (SDN) list on March 21, 2025, after the Fifth Circuit ruled against it — U.S. Treasury
• Van Loon v. Department of the Treasury, No. 23-50669 (5th Cir., November 26, 2024) held immutable smart contracts are not “property” under IEEPA (50 U.S.C. § 1705) — Court record
• On August 6, 2025, a jury convicted Roman Storm of conspiracy to run an unlicensed money-transmitting business under 18 U.S.C. § 1960, but deadlocked on the IEEPA and money-laundering counts — CoinDesk
• On March 9, 2026, the US Attorney for the Southern District of New York moved to retry the deadlocked charges, proposing an October 5 or 12, 2026 start — DeFi Education Fund
• The EU Anti-Money Laundering Regulation (AMLR), Regulation (EU) 2024/1624, bars CASPs from handling anonymity-enhancing coins and anonymous accounts from July 1, 2027 (Articles 58 and 79) — EUR-Lex
• Prosecutors alleged Tornado Cash processed more than $1 billion in illicit funds, including sums tied to North Korea’s Lazarus Group — CoinDesk
Methodology and sources
This analysis relies on primary and near-primary materials: the US Treasury’s March 2025 delisting announcement, the Fifth Circuit’s Van Loon opinion and its IEEPA reasoning, the Southern District of New York docket in U.S. v. Storm as summarised by the DeFi Education Fund, and the consolidated text of the EU AMLR (Regulation (EU) 2024/1624) via EUR-Lex. Enforcement figures are drawn from published DOJ and Treasury settlements. The time window is August 2022 (the original Tornado Cash designation) through June 2026. Jurisdictional scope is the United States, the European Union and the United Kingdom, with the Financial Action Task Force (FATF) standard included for global context. Where rules are still in delegated-act or pre-trial stages, that status is flagged; primary regulator and court documents supersede this summary.
What the Tornado Cash ruling actually changed
OFAC’s August 8, 2022 designation of Tornado Cash was the first time the agency sanctioned autonomous software rather than a named person or entity. The Fifth Circuit’s reasoning in Van Loon turned on a narrow statutory point: IEEPA lets the President block “property” in which a foreign interest exists, and the court found that immutable, ownerless smart contracts cannot be owned, controlled or excluded by anyone — so they are not property. The ruling did not say mixers are lawful, nor that their operators are immune; it said the specific tool OFAC reached for did not fit the code.
OFAC’s delisting of Tornado Cash on March 21, 2025 confirmed that immutable smart-contract code sits outside the agency’s IEEPA blocking power, but it left three enforcement routes intact. First, OFAC can still designate identifiable people and entities — the developer Roman Semenov remained on the SDN list. Second, the DOJ can prosecute operators under money-transmission law (18 U.S.C. § 1960) and money-laundering statutes (18 U.S.C. § 1956), as it has with Roman Storm. Third, the Financial Crimes Enforcement Network (FinCEN) retains Bank Secrecy Act authority over anyone qualifying as a money-services business. In short, the United States lost a tool against code but kept its tools against conduct and people — a distinction that now defines the American approach.
| Jurisdiction / Regulator | Effective date | Scope | Key requirement | Penalty / sanction |
|---|---|---|---|---|
| US (OFAC / DOJ / FinCEN) | Delisting March 21, 2025; Storm retrial proposed Oct 2026 | Persons, entities and operators — not immutable code | Person/entity SDN designation; 18 U.S.C. § 1960 money transmission; § 1956 laundering | Up to 5 years (§ 1960); Binance paid $4.3 billion (2023) |
| EU (AMLR / national CAs) | Applies July 1, 2027 | All CASPs and financial institutions | Articles 58 and 79 prohibit anonymity-enhancing coins and anonymous accounts | National-CA AML penalties; loss of CASP authorisation |
| UK (OFSI / FCA) | Travel Rule since Sept 1, 2023 | Named persons/entities; registered crypto firms | SAMLA 2018 designations; Money Laundering Regulations 2017; Travel Rule | OFSI civil monetary penalties; criminal exposure |
| Global (FATF) | Recommendation 15 updated 2019; Travel Rule | Virtual-asset service providers (VASPs) | Risk-based AML/CFT; originator/beneficiary data sharing | Greylisting pressure; non-binding on firms directly |
Sources: U.S. Treasury, Fifth Circuit Van Loon opinion, EUR-Lex AMLR, FATF Recommendation 15. Last updated: June 16, 2026.
How the US, EU and UK now compare
The three regimes are converging on the goal — keep illicit value out of the regulated system — but diverging on method. The United States, after Van Loon, targets people and conduct: it cannot freeze a protocol, but it can prosecute the humans around it and designate identifiable wallets and operators. The European Union takes the opposite tack, regulating the product category itself. The United Kingdom sits in between, leaning on its long-standing sanctions and anti-money-laundering architecture rather than novel code-level measures.
The EU’s approach is the most categorical. Under the Anti-Money Laundering Regulation (Regulation (EU) 2024/1624), Articles 58 and 79 prohibit credit institutions, financial institutions and crypto-asset service providers (CASPs) from offering anonymity-enhancing coins such as Monero, Zcash and Dash, or from maintaining anonymous accounts, from July 1, 2027. Rather than asking whether a mixer’s code is “property,” Brussels simply removes the regulated on-ramp: a CASP that lists a privacy coin loses its authorisation. The European Banking Authority (EBA) is still drafting the implementing and delegated acts that will set the technical detail, so the contours can shift, but the direction is fixed. This product-level prohibition is structurally different from the US person-level model and the UK entity-level model, and it is the divergence most likely to fragment global token listings.
“the stability of the verdict is very much in play . . . [o]f all of the counts of conviction, the 1960 is perhaps the most interesting of the legal issues that it raises”
— Katherine Polk Failla, US District Judge, Southern District of New York (DeFi Education Fund)
Enforcement context: from Binance to Storm
The contrast between the entity model and the code model is clearest in the enforcement record. In November 2023, Binance agreed to pay $4.3 billion to settle DOJ, FinCEN and OFAC allegations that it failed to maintain an effective anti-money-laundering programme and processed transactions touching sanctioned jurisdictions. That case fit the conventional template: a corporate entity with identifiable controllers, bank accounts and an AML obligation it could be held to. The penalty was among the largest in the history of US financial enforcement, and nothing in Van Loon disturbs that model.
The Storm prosecution tests the harder question. On August 6, 2025, a jury in the Southern District of New York convicted Roman Storm of conspiracy to operate an unlicensed money-transmitting business under 18 U.S.C. § 1960, while deadlocking on conspiracy to violate IEEPA (50 U.S.C. § 1705) and conspiracy to commit money laundering (18 U.S.C. § 1956). On March 9, 2026, prosecutors told the court they intend to retry the two unresolved counts, proposing an October 2026 start. The case matters as precedent: if writing and deploying non-custodial software can amount to money transmission, developer liability extends well beyond firms that hold customer funds. That is the line industry groups are fighting over.
“We are grateful the jury did not convict Roman for violating sanctions or laundering money. There are serious legal issues with the sole remaining count involving unlicensed money transmission.”
— Brian Klein, Partner and defence counsel for Roman Storm, Waymaker LLP (CoinDesk)
What this means for brokers, exchanges, CASPs and compliance teams
For exchanges and CASPs, the immediate task is jurisdictional mapping. A token that is freely listable in the United States after the Tornado Cash delisting may be prohibited in the European Union from July 1, 2027 under AMLR Articles 58 and 79. Firms operating across both blocs should begin a privacy-asset inventory now — Monero, Zcash, Dash and any anonymity-enhancing wrapper — and plan delisting and customer-migration workflows well ahead of the EU deadline, since the EBA’s implementing acts will not arrive in time to leave a comfortable runway.
For brokers, fund managers and custodians, the live risk is counterparty and screening exposure rather than listing. Even where a protocol’s code is no longer sanctioned, transactions that pass through it can still trip money-laundering controls, and identifiable operators or wallets can still be designated. Compliance teams should treat the delisting as a narrowing of one tool, not a safe-harbour: OFAC’s person and wallet designations, FinCEN’s money-services-business rules, and the DOJ’s § 1960 theory all remain. Legal and compliance functions should document the rationale for any mixer-adjacent exposure, refresh sanctions-screening logic to capture associated persons rather than only the delisted contracts, and watch the Storm retrial for the developer-liability standard it will set. Firms with UK touchpoints must also keep pace with OFSI designations under the Sanctions and Anti-Money Laundering Act 2018 and the crypto Travel Rule in force since September 1, 2023.
What’s next: the forward view
Three timelines now dominate. First, the U.S. v. Storm retrial, proposed for October 2026, will either entrench or unsettle the theory that publishing non-custodial code can constitute money transmission; a conviction on the deadlocked counts would be appealed and could reach the Second Circuit. Second, the EBA’s delegated and implementing acts under the AMLR are expected before the July 1, 2027 application date and will determine exactly how far the anonymity-asset prohibition reaches — for instance, whether it captures privacy features bolted onto otherwise transparent assets. Third, the US Treasury faces continued litigation pressure to define what, post-Van Loon, it can still sanction in decentralised systems; further guidance or a fresh designation strategy is likely. For globally active firms, the contested zone is the gap between an American conduct-and-person model, a European product-prohibition model, and a UK entity model that has so far avoided code-level measures.
TL;DR
After the Fifth Circuit’s Van Loon ruling, OFAC delisted Tornado Cash on March 21, 2025, conceding it cannot sanction immutable smart-contract code as “property.” But enforcement did not retreat: the DOJ is seeking an October 2026 retrial of developer Roman Storm on deadlocked sanctions and money-laundering counts, having already won a conviction under 18 U.S.C. § 1960. Meanwhile the EU’s AMLR (Regulation (EU) 2024/1624) bans CASPs from handling anonymity-enhancing coins from July 1, 2027, and the UK leans on OFSI and entity-level sanctions. The result is three diverging models — US conduct-and-person, EU product-prohibition, UK entity — and a $4.3 billion Binance settlement as the reminder that the entity model still bites hardest.
FAQ
Did the Tornado Cash delisting make crypto mixers legal?
No. The Fifth Circuit ruled only that immutable smart contracts are not “property” OFAC can block under IEEPA. Operators can still face prosecution under money-transmission and money-laundering law, identifiable persons can still be sanctioned, and FinCEN’s Bank Secrecy Act rules still apply. The delisting narrowed one specific sanctions tool; it did not legalise mixing services.
What is Roman Storm charged with now?
A jury convicted Storm on August 6, 2025 of conspiracy to operate an unlicensed money-transmitting business under 18 U.S.C. § 1960. It deadlocked on conspiracy to violate IEEPA and to commit money laundering. On March 9, 2026, prosecutors moved to retry those two counts, proposing an October 2026 start. He remains free pending the court’s ruling on his acquittal motion.
When does the EU ban on privacy coins take effect?
The EU Anti-Money Laundering Regulation (Regulation (EU) 2024/1624) applies from July 1, 2027. Articles 58 and 79 prohibit crypto-asset service providers and financial institutions from offering anonymity-enhancing coins such as Monero, Zcash and Dash, or from maintaining anonymous accounts. The European Banking Authority is still drafting the implementing detail.
How does the UK approach differ from the US and EU?
The UK relies on established tools rather than code-level measures: sanctions designations of named persons and entities under the Sanctions and Anti-Money Laundering Act 2018, the Money Laundering Regulations 2017, and the crypto Travel Rule in force since September 1, 2023. It has not attempted to sanction a mixer’s smart-contract code, placing it between the US conduct model and the EU product-prohibition model.
Does the ruling protect crypto developers from liability?
Not directly. Van Loon addressed sanctions authority over code, not criminal liability for developers. The Storm prosecution under 18 U.S.C. § 1960 tests whether writing and deploying non-custodial software can itself be money transmission. Until the retrial and any appeal conclude, developer liability for open-source financial tools remains legally unsettled in the United States.
What should compliance teams do before July 2027?
Firms active in the EU should inventory any anonymity-enhancing assets they list or custody, plan delisting and customer-migration workflows, and refresh sanctions screening to capture associated persons and wallets rather than only delisted contracts. They should also monitor the EBA’s implementing acts, the Storm retrial, and any new US Treasury guidance on decentralised systems.
For related coverage, see our analysis of the FATF Travel Rule sunrise gap, how DORA’s cloud oversight splits the EU, UK and US, the EU’s MiCA 2 review, the CFTC’s crypto-perpetuals opening, and Hong Kong’s stablecoin licensing split.
This article is informational analysis only and does not constitute legal, regulatory, tax, or investment advice. Regulatory frameworks change frequently and interpretation depends on facts and circumstances; primary documents and official regulator guidance always supersede summaries. Firms should consult qualified legal counsel and their relevant supervisory authority before taking any action based on the analysis above.
Rick Steves
Rick Steves has seen business and economics through many lenses. He joined the financial services industry in 2009, and has been a financial journalist since 2011. He holds a degree in Business Administration and has experience producing real-time news, from both buy-side and sell-side, as well as for retail traders, brokers and service providers. Steves' work has appeared in a variety of online publications including FX Street, NewsBTC, FinanceFeeds, and The Industry Spread. Rick has great interest in the dynamics of the trading industry. The never-ending clash between technology, economics, regulation, and more importantly, the people.
