Two months ago, I wrote that privacy is normal and writing code is not a crime. Yesterday, a Manhattan jury proved me half wrong. Roman Storm, co-founder of Tornado Cash, was convicted of conspiracy to operate an unlicensed money transmitting business. The jury deadlocked on the more serious charges of money laundering and sanctions violations, but the precedent is set: you can now go to prison for writing privacy software.
The conviction represents everything wrong with how the legal system approaches technology it doesn't understand. Twelve jurors, guided by prosecutors who likely couldn't explain how a smart contract works, just decided that building decentralized privacy tools is criminal. The absurdity is breathtaking.
Let's start with what Storm actually did. He wrote open-source code that allowed people to deposit Ethereum into a smart contract and withdraw it to a fresh address, breaking the link between sender and receiver. That's it. No custody of funds, no control over who uses it, no ability to stop transactions once deployed. It's software, not a business.
But according to the Southern District of New York, Storm "knowingly operated a money transmitting business that transmitted more than $1 billion in criminal proceeds." This language reveals the fundamental misunderstanding at the heart of the case. Storm didn't "transmit" anything. The software he wrote facilitated peer-to-peer transactions between users. Calling this "transmitting criminal proceeds" is like blaming Tim Berners-Lee for every illegal website because he invented HTTP.
Privacy is not (yet) a crime.
— Jameson Lopp (@lopp) August 6, 2025
But don't you dare try to earn a living by helping people improve their privacy!
The prosecution's entire theory rests on the idea that Storm should have built KYC requirements into a decentralized protocol and somehow "controlled" a system designed to be uncontrollable. This is not just technically impossible, it's philosophically antithetical to the entire point of decentralized systems. You might as well prosecute Satoshi Nakamoto for not putting AML controls in the Bitcoin protocol.
The government's victory lap was predictably tone-deaf. US Attorney Jay Clayton announced that Storm "provided a service for North Korean hackers and other criminals to move and hide more than $1 billion of dirty money." This framing ignores everyone who used Tornado Cash legitimately: dissidents in authoritarian regimes, journalists protecting sources, whistleblowers avoiding retaliation, and ordinary citizens who believed financial privacy was a basic human right.
Storm himself warned before the trial: "If I lose, DeFi dies with me." The jury's split verdict suggests DeFi is wounded but not dead yet. They couldn't agree on the money laundering charges, which would have criminalized the act of building privacy software that bad actors might use. But the money transmission conviction still sets a dangerous precedent that could chill innovation across the entire crypto ecosystem.
Today, @rstormsf was convicted of unlawful money transmission, but wasn't on money laundering and sanctions evasion.
— Joel Valenzuela (@TheDesertLynx) August 6, 2025
Happy it wasn't worse because of the awful precedent it would set, but this is still nonsense. They built and deployed open-source, decentralized tech. Not a… https://t.co/WMewq3AJs2
The technical illiteracy of the prosecution becomes clear when you examine what "transmitting criminal proceeds" actually means in this context. Traditional money transmission involves a business taking custody of funds and transferring them on behalf of customers. Tornado Cash never took custody of anything. It's a smart contract that executes automatically according to predetermined rules. There's no business, no employees, no customer service department. It's code running on a decentralized network.
But the legal system doesn't understand the difference between code and companies, between protocols and platforms. To prosecutors, anything involving money must be a money transmission business subject to licensing requirements and compliance obligations. The fact that no human being has control over a deployed smart contract is irrelevant to judges who think "the cloud" is somewhere in the sky.
This ignorance has real consequences. Storm faces up to five years in prison for the conviction, with the possibility of additional charges if the DOJ decides to retry the deadlocked counts. Meanwhile, other privacy developers are watching and wondering if they're next. The Samourai Wallet founders already pleaded guilty to similar charges. Alexey Pertsev remains imprisoned in the Netherlands for his work on Tornado Cash.
The chilling effect is already visible. Developers are scrubbing privacy features from their projects, avoiding certain jurisdictions, or abandoning crypto development entirely. The most talented builders are asking themselves: is it worth risking decades in prison to build financial tools that governments don't understand and don't want to exist?
The crypto community's response has been a mix of outrage and resignation. Legal experts point out that the broad scope of money transmission laws could criminalize almost any DeFi protocol. Jake Chervinsky called it "a sad day for DeFi," while others noted that the partial mistrial at least prevented the worst-case scenario of convictions on all counts.
But here's what nobody in the courtroom seems to understand: code is speech, not commerce. The First Amendment is supposed to protect Storm's right to publish cryptographic software just as it protects journalists' right to publish classified documents. The government may not like that Tornado Cash enabled financial privacy, but criminalizing the developers who built it is no different from prosecuting the inventors of encryption because terrorists use secure communications.
The conviction also raises uncomfortable questions about who gets to decide what code is legal. Federal prosecutors in Manhattan now have de facto veto power over cryptocurrency innovation. If they decide your privacy tool enables too much criminal activity, you face potential prison time. There's no clear standard, no safe harbor, no way to know if your code crosses the line until you're sitting in a defendant's chair.
This is not how law should work in a free society. Technology should be judged by its capabilities and legitimate uses, not by its worst-case applications. We don't ban cars because bank robbers use getaway vehicles. We don't criminalize mathematics because cryptography can hide criminal communications. And we shouldn't imprison software developers because their privacy tools work too well.
The deadlock on the more serious charges suggests at least some jurors understood the absurdity of prosecuting a developer for user behavior beyond his control. But the money transmission conviction still represents a victory for the surveillance state over financial privacy advocates.
Storm plans to appeal, challenging the application of money transmission laws to decentralized protocols. The appeal will likely focus on whether developers can be held responsible for the misuse of their platforms in decentralized systems. It's a question that will determine the future of not just cryptocurrency, but any software that enables peer-to-peer interaction without intermediary control.
The broader implications extend far beyond crypto. If writing privacy software becomes criminal, who will build the tools needed to protect dissidents, journalists, and whistleblowers? If developers can be prosecuted for user behavior they can't control, what happens to innovation in decentralized systems? If code is not speech but commerce, what protection do software developers have under the First Amendment?
Roman Storm didn't commit a crime. He built a tool that preserved financial privacy in an age of total surveillance. The fact that bad actors used that tool doesn't make its creator a criminal any more than the fact that criminals use Signal makes its developers responsible for every encrypted criminal conversation.
But a jury in Manhattan disagreed, guided by prosecutors who treated software like a traditional business and privacy like a criminal conspiracy. The conviction represents not just a victory for the surveillance state, but a defeat for anyone who believes that writing code should remain protected speech rather than regulated commerce.
Storm's appeal may overturn this precedent. But for now, the message is clear: build privacy tools at your own risk. The government may not understand how your code works, but they're perfectly willing to send you to prison for it.
Privacy may still be normal, but apparently, writing code to protect it is becoming a crime.
