The U.S. Department of Justice has issued a stark warning to the crypto development community, revealing that Tornado Cash developer Roman Storm implemented over 250 changes to the protocol, fundamentally undermining the 'immutable code' defense. Prosecutors assert that exercising operational control over a platform processing more than $1 billion in illicit funds—while deliberately refusing to implement anti-money-laundering controls—constitutes running a criminal enterprise, a legal distinction that could trigger a seismic 10% correction in developer liability standards and reshape the regulatory landscape for decentralized finance.

What the DOJ’s Cox Rejection Actually Establishes – and Why the ‘Immutable Code’ Defense Is Running Out of Road

Storm’s legal team drew a specific parallel: the Supreme Court found Cox Communications shouldn’t be held liable for its users’ infringing activity because Cox had a robust, 98%-effective termination policy for repeat infringers.

The argument was that Storm, like Cox, was a neutral infrastructure provider. Prosecutors dismantled that comparison in a single filing.

The DOJ’s letter to Judge Failla emphasized that Cox actively discouraged the illegal conduct occurring on its network – while Storm and his co-conspirators at Tornado Cash did the opposite.

Prosecutors stated that Storm “actively lied in response to inquiries from victims, telling them he had little control over the protocol when in fact he and his co-conspirators implemented over 250 changes to Tornado Cash infrastructure during the charged time period and explicitly discussed – but forwent – feasible measures to curb criminality on their platform.”

That last clause is the legal weight-bearing element. Under the money laundering and unlicensed money transmission statutes at issue, the question isn’t whether a developer wrote code – it’s whether they operated a system they knew was being used for money laundering, had the capacity to limit that use, and chose not to.

The Bank Secrecy Act’s anti-money-laundering compliance obligations attach to operators, not passive bystanders. Prosecutors’ position is that Storm was an operator by every functional measure.

“In short, the defendant’s reaction to criminal use of his company was window dressing at best and outright misdirection at worst” – prosecutors’ letter to Judge Failla, filed Tuesday.

The August 2025 jury conviction on the unlicensed money transmission count already rejected Storm’s passive-developer framing once.

The October 2026 retrial targets the money laundering conspiracy and sanctions evasion charges directly – the counts where the jury deadlocked, not where it acquitted. That distinction matters: deadlock means twelve jurors couldn’t reach unanimity, not that the evidence was insufficient to convict.