Roman Storm Retrial Looms as DOJ Targets Tornado Cash Code with “Knowledge” Theory

Tornado Cash developer Roman Storm’s legal fight has turned into a blunt test of whether U.S. prosecutors can stretch “knowledge” into criminal liability for simply writing open-source code.

• Blanche’s promise on code and crime is being called inconsistent
• Roman Storm still faces a retrial on serious charges
• “Knowledge” is the DOJ’s favorite magic word — and that’s the problem
• Non-custodial software developers are watching this case like hawks

What Todd Blanche said — and why the backlash was immediate

Acting U.S. Attorney General Todd Blanche tried to reassure developers at the Bitcoin 2026 conference in Las Vegas, saying software developers would not be prosecuted simply for writing code. Sounds nice. Almost soothing, even. But then he walked it back with the kind of legal hedging that makes builders nervous: being a coder does not automatically shield someone from criminal liability.

That contradiction is exactly why the response from Roman Storm’s defense team was so sharp. If the government’s top law-enforcement official says “code is not crime,” but the DOJ still uses vague concepts like “helping” and “knowing” to pursue developers, then the slogan starts looking less like a principle and more like a PR bandage slapped over an open wound.

Coin Center CEO Peter Van Valkenburgh put the issue in plain English:

“What counts as ‘helping’? What counts as ‘knowing’?”

That’s the core legal mess. If prosecutors get to define those words however they want, then almost any open-source developer can be dragged into the blast radius.

What Tornado Cash actually is

Tornado Cash is a non-custodial crypto privacy protocol. Non-custodial means the software never takes control of users’ funds. It does not hold your money the way an exchange, bank, or payment processor does. It publishes code. Users interact with that code directly.

That distinction matters. A custodial service can freeze, move, or mishandle funds because it actually controls them. Non-custodial software cannot do that. It is a tool, not a middleman with keys in its pocket and a legal department on speed dial.

And yet Tornado Cash became a lightning rod because privacy tools are catnip for regulators who think “privacy” is just a polite word for “suspicious.” To be fair, the government’s concern is not invented out of thin air. Privacy tools can be used by thieves, sanctioned actors, and hackers to obscure transactions. That is real. But the leap from “bad actors used this tool” to “the developer should go to prison” is where the whole thing starts smelling like a legal dumpster fire.

Why Roman Storm’s case still matters

Roman Storm was convicted in August 2025 of conspiracy to operate an unlicensed money transmitting business. The jury did not reach a verdict on two other counts: conspiracy to commit money laundering and conspiracy to violate the International Emergency Economic Powers Act, or IEEPA, the U.S. sanctions law tied to national security emergencies.

That deadlock matters. It means the jury was not convinced on those charges, but it did not acquit him either. The Department of Justice filed for a retrial on the unresolved counts in March 2026, keeping Storm in the crosshairs.

The case has become even more confusing because the U.S. Treasury lifted sanctions on Tornado Cash in 2025. You might think that would lower the temperature. Apparently not. The DOJ kept pressing ahead, which tells you this is not just about sanctions policy anymore. It is about whether the government can make an example out of the people who build privacy-preserving software.

Storm has been blunt about the risk, warning that developers “CAN be prosecuted for your software.” That is not paranoia when prosecutors are leaning on emails, Google searches, and media-sharing about hacks as proof of “knowledge.”

The DOJ’s “knowledge” theory is the real tripwire

Here is the simplest version of the government’s theory: if a developer knew criminals were using a tool, that awareness can be used to show criminal intent or participation.

That sounds tidy until you apply it to reality.

Any useful technology can be misused. Email gets used for fraud. Signal gets used by criminals. Browsers can be used to access illegal content. GPS gets used by car thieves. That does not make the creators of those tools members of a criminal conspiracy. If it did, the entire software industry would be one long indictment waiting to happen.

Laurent Salat, creator of OXT, warned that this kind of vague “knowledge” standard could let a federal agent incriminate a non-custodial bitcoin service operator “with a simple email.” That is the nightmare scenario for open-source builders: a stray message, a Google search, or a chat log turned into evidence that you were “helping” because you were aware bad people existed. Well, congratulations — that would make half the internet accessories after the fact.

Judge Katherine Polk Failla has reportedly questioned that logic, which is encouraging. A criminal case should require more than “you knew the tool had users, and some users were scumbags.” That is not intent. That is just life online.

Why open-source and privacy developers are alarmed

This is where the Tornado Cash case stops being about one protocol and starts becoming a broader threat to open-source development and crypto privacy.

Open-source software is built in public. People publish code, others inspect it, fork it, reuse it, and sometimes abuse it. That is the model. It is also why developers are deeply exposed if courts begin treating neutral publishing as culpability.

If a privacy tool can be treated like a criminal enterprise because some users are criminals, then what happens to wallet software, relay infrastructure, messaging tools, mixers, bridges, or any other non-custodial crypto software? The chilling effect is obvious. Builders will either self-censor, geo-block, add invasive controls, or just avoid shipping anything that might attract the wrong kind of attention. That is how you suffocate innovation without having the honesty to call it censorship.

For all the talk about supporting innovation, the U.S. still has a habit of telling developers to build the future — then threatening them with prison when the future gets messy.

Why crypto users should care beyond Tornado Cash

Bitcoin itself does not need Tornado Cash. It already has a robust base layer, and no, not every financial problem should be solved with another token or another gimmick. But Bitcoin users and crypto users more broadly absolutely benefit from the existence of privacy tools, open-source wallets, and decentralized infrastructure.

Without privacy, financial freedom is just a slogan waiting to be audited. The ability to transact without every movement being mapped, cataloged, and packaged for compliance theater is part of what made crypto matter in the first place. That does not mean protecting thieves. It means protecting ordinary users from surveillance creep, deplatforming, and the slow normalization of permissioned finance.

This is also where the maximalist and non-maximalist camps can agree on something for once: if software creators can be blamed for how strangers use their code, then the entire permissionless stack becomes fragile. Today it is Tornado Cash. Tomorrow it could be a wallet developer, a node operator, a bridge maintainer, or anyone building tools that reduce surveillance and dependency on intermediaries.

The political optics are getting uglier

Blanche’s remarks were supposed to signal a more crypto-friendly posture. Instead, they landed like polished rhetoric with a trapdoor underneath. That is especially awkward for a Trump administration often described as more crypto-positive than its predecessors. You cannot celebrate decentralization in public while letting prosecutors stretch the law until “writing code” looks like conspiracy.

That is not pro-innovation. That is performative friendliness backed by aggressive enforcement. Same old state muscle, just with better branding.

And yes, there is a serious counterargument from regulators: tools that obscure transactions can be used to launder stolen assets and dodge sanctions. That concern is legitimate. But if the state’s answer is to treat software authors like the criminal masterminds behind every misuse, then the cure is worse than the disease. Once that precedent sticks, privacy software is no longer a legitimate category. It becomes a liability category.

What happens next for Roman Storm

Storm’s retrial is tentatively set for October 26, 2026. If he is convicted on the remaining charges, he could face up to 40 years in prison. That is an absurdly heavy hammer to hang over a developer whose central “crime” is helping publish non-custodial software.

The outcome could shape how U.S. law treats privacy tools, decentralized finance, and open-source developers for years. If prosecutors win by arguing that awareness of misuse equals criminal help, then the legal system has effectively told builders to either stop innovating or start asking permission from the very institutions decentralization was meant to bypass.

That is the real fight here. Not whether criminals use privacy tools. Of course they do. The question is whether the people who build neutral software should be treated like criminals too.

Key questions and takeaways

What is Tornado Cash?

Tornado Cash is a non-custodial crypto privacy protocol that helps users obscure transaction history without taking custody of their funds.

Why is Roman Storm facing retrial?

He was convicted on one count in 2025, while the jury deadlocked on money laundering and sanctions-related charges. The DOJ is seeking another shot at those unresolved counts.

What is the DOJ’s main theory?

Prosecutors argue Storm’s awareness of misuse — through emails, searches, and media references — supports criminal liability. Critics say that turns ordinary knowledge into a legal weapon.

Why are developers worried?

Because vague standards like “helping” and “knowing” could be stretched to punish open-source builders for what users do with neutral software.

Does Blanche’s “code is not crime” line settle anything?

No. His comments were contradicted by his own follow-up, and they do not change the DOJ’s current prosecution posture.

Why does this matter for Bitcoin and crypto privacy?

Because if non-custodial software developers can be targeted for user behavior, the chilling effect could reach wallets, privacy tools, relays, bridges, and other core pieces of decentralized infrastructure.

How serious is the risk for Storm?

Very serious. If convicted on the remaining charges, he could face up to 40 years in prison.

What is the bigger principle at stake?

Whether open-source code is treated as a legitimate tool of free software development or as a potential criminal instrument the moment it offends regulators.