DeFi’s Regulatory Status Under MiCA and Cryptoasset Licensing Requirements

DeFi’s Regulatory Status Under MiCA and Cryptoasset Licensing Requirements

2026-06-05

The Boundaries of Decentralization: Examining DeFi’s Regulatory Status Under MiCA and Its Implications for Cryptoasset Licensing Requirements

The emergence of decentralized finance (DeFi) has precipitated a fundamental reconsideration of regulatory boundaries in European cryptoasset markets. The Markets in Crypto-Assets Regulation (MiCA), which entered into force in 2023, explicitly excludes from its scope services provided in a “fully decentralized manner” without any intermediary. Yet this ostensibly straightforward exemption masks considerable complexity. The absence of precise definitional parameters for “full decentralization,” coupled with the inherent sophistication of DeFi ecosystems, generates substantial uncertainty regarding both the exemption’s actual scope and its practical implications for market participants operating within the cryptoasset space.

This Article examines the jurisprudential challenges inherent in delineating the boundaries of decentralization within regulatory frameworks, with particular emphasis on the phenomenon of pseudo-decentralization and its ramifications for licensing obligations. Central to this analysis is the distinction between technical and functional decentralization, as well as the identification of centralized elements within nominally decentralized systems. These distinctions carry profound implications for regulatory compliance and market structure.

 

The Machine That Belongs to No One

How decentralized finance became the last line of defense against the law—and why the defense keeps failing

In September of 2022, the Commodity Futures Trading Commission, the federal agency that polices the American derivatives markets, found itself with a problem no manual had anticipated. It wanted to sue a defendant that did not, in any conventional sense, exist. The thing had no headquarters, no board, no registered agent, nothing a process server could drive to. What it had was an online forum, where holders of a digital token voted on what the enterprise should do next. So the agency served its lawsuit by dropping it into the forum’s help-desk chat window, the way one might slip a summons under the door of an empty house. It sounds like a prank. But the judgment that followed is now the most consequential ruling in the world on what the industry calls decentralized finance, or DeFi—and it is the clearest illustration yet of a quieter argument, the one this piece means to make: that an appeal to decentralization is often less a description of how a technology works than a legal tactic, and that, as tactics go, it is failing more and more often.

To see why the case of Ooki DAO matters, one has to understand three things in turn: what DeFi actually is; why the conventional law—the American Howey test on one side of the Atlantic, the European Union’s MiCA regulation on the other—trips over it like a threshold it cannot see; and what tends to rush into the vacuum that results. Only then does the heart of the matter come into view: how a business that is, in fact, centralized slips into the costume of decentralization to shed its liability, and the precise moment at which the costume begins to tear.

 

A Loan Without a Lender

Picture a currency-exchange kiosk with no owner. No teller, no manager, not even a back room where someone sits. There is only a machine, and inside it a rule fixed once and for all: feed in dollars, receive euros at a rate determined by how much of each currency happens to be sitting in the machine at that moment. No one sets the rate. The arithmetic sets it. The machine stands on a street corner from which it cannot be removed, because it belongs to nobody, and the key to it has—so the story goes—been thrown away.

That, more or less, is the idea behind a decentralized exchange, or DEX, the beating heart of DeFi. In place of a financial institution there is a program, a so-called smart contract: a piece of code, living on a blockchain, that executes itself, automatically, the moment its written conditions are met. Lending works the same way. Instead of a bank weighing your creditworthiness, there is a pool of funds deposited by anonymous strangers; you post collateral in cryptocurrency, the code releases your loan, and the code itself stands watch, ready to claw the collateral back the instant its value slips. A loan without a lender. A deposit without a custodian.

The promise here is at once technical and philosophical. If a service is rendered by code rather than by a person, then there is no one to cheat you, no one to bribe, and—most important for our story—no one to sue. Conventional finance rests on trust in an intermediary, and on a state that supervises that intermediary; DeFi proposes to replace both with trust in mathematics. The movement’s slogan is code is law.

It is a beautiful idea. The trouble, as we shall see, is that the machine on the corner almost always does have an owner, and the owner has almost never actually thrown away the key. But before we get to the owner, we must understand why the mere promise of his absence is enough to paralyze a regulator.

 

A Law That Goes Looking for a Person

Modern financial law, American and European alike, was built around a single assumption it rarely bothers to state aloud: that somewhere there is a someone. Someone who issues the security. Someone who runs the exchange. Someone who takes the deposit. The entire scaffolding of obligations—disclosure, capital requirements, consumer protection—presumes an addressee to whom those duties can be handed and from whom an injured party can demand redress. Financial law is, at bottom, a law about persons who do things, not about things that happen on their own.

Watch the assumption surface on both sides of the ocean.

In the United States, whether an asset is a security—and therefore subject to the Securities and Exchange Commission—turns on a test the Supreme Court laid down in 1946, in SEC v. W. J. Howey Co. The case concerned, of all things, a Florida orange grove, sold to investors together with a contract to tend the trees on their behalf. A security exists, the Court held, wherever someone invests money in a common enterprise and is led to expect profits solely from the efforts of others. And it is in those last words that the whole difficulty lives. Howey asks about somebody’s efforts. If a service is rendered, supposedly, by autonomous code alone, then whose efforts are they? Those of founders long since departed? Of anonymous voters? Of the machine?[^1]

The temptation of an answer is obvious: if no one is making the effort anymore, because the code does everything, then the Howey prong collapses, and the S.E.C.’s jurisdiction collapses with it. This is the first line of the DeFi defense. It helped, for a while, that in 2018 a senior S.E.C. official named William Hinman suggested in a speech that a sufficiently decentralized asset—he was speaking of Ether—might cease to be a security. For years the remark was quoted like scripture. Except that, as the agency itself would later take pains to clarify, it was the private view of an official, not a binding position of the Commission. No provision of American law contains a decentralization exemption. The myth simply outlived the correction, because it was convenient.

Europe took a different road and stumbled at the same threshold. MiCA, the Union’s comprehensive cryptoasset regulation, turns on the notion of a crypto-asset service provider, or CASP—defined, in Article 3, as a legal person or other undertaking that provides services on a professional basis. Once again: there must be a someone, some undertaking, however informal. And here the European legislator did something easy to miss and crucial to grasp. In Recital 22 of the preamble it wrote that services provided in a fully decentralised manner without any intermediary should fall outside the regulation—and then carried that very phrase into the operative text, into Article 2(3). The exemption thus became a real provision rather than a pious wish in a preamble. But it left a gap: the regulation nowhere defines what fully decentralised means. The legislator cut a window into the law and neglected to give its dimensions.[^2]

And so both systems, for all their difference, share the same Achilles’ heel. The American Howey test asks whose the efforts are; European MiCA asks who the undertaking is. Both presume that somewhere there is a person. DeFi promises that there is none.

Were that promise true, we would be looking at a genuine regulatory vacuum: a financial service attributable to no one at all. The question that organizes everything that follows is therefore a simple one. Is the vacuum real, or merely declared? Before we answer it, consider what flows into the void.

 

What Rushes Into the Void

Any space in which a transaction has no author, and a movement of value leaves no trail leading back to a person, exerts a kind of gravity on the phenomena that flee the light. This is neither an accident nor a vice of the technology. It is simple logic: if the financial intermediary is the party that, in the conventional system, is obliged to know its customer and to report the suspicious transaction, then removing the intermediary removes the watching eye along with it. Consider four categories, pairing what regulators observe worldwide with examples that have already crossed these pages.

Money laundering and the evasion of sanctions. The most frequent guest. A decentralized exchange does not ask where your funds came from, because, by design, there is no one to ask. So-called mixers—protocols that blend many users’ cryptocurrency together to sever the link between the sending address and the receiving one—carry the logic to its extreme. When the United States Treasury sanctioned one of the most notorious of them in 2022, on the ground that it had been used to launder more than seven billion dollars, including funds stolen by North Korea’s Lazarus Group, its defenders answered exactly as the first line of the DeFi defense instructs: that what had been punished was code, and code cannot be sanctioned, because it is not a person. And here, tellingly, the defense at last prevailed—but only on the narrowest of grounds. In Van Loon v. Department of the Treasury, the Fifth Circuit held in late 2024 that the government had overstepped, because the particular smart contracts at issue were immutable: unchangeable, unownable, controlled by no one, and therefore not “property” that sanctions law can reach. The exception, in other words, proves the rule. What the law could not touch was the code that truly had no owner—the rare, genuine article. Everything with a hand still on the switch remains squarely within reach.[^3] In March of 2025 the Treasury went further still and removed Tornado Cash from the sanctions list altogether, citing the evolving technology and legal environment.

The mechanism the sanctions were chasing is, by now, almost a choreography. North Korea’s Lazarus Group—the same outfit blamed for the Ronin Bridge theft that produced the laundered funds in the first place—has, by the estimates of the major blockchain-analytics firms, run somewhere between thirty and forty per cent of more than two billion dollars in stolen cryptocurrency through DeFi. The pattern repeats so reliably that investigators can recite it: breach a bridge or an exchange; within hours, before the analysts can flag the addresses, swap the haul into ether or stablecoins on a decentralized exchange, Uniswap most often the first stop; push it through a mixer; withdraw in tranches over weeks; and off-ramp, at last, through a centralized exchange in some jurisdiction where the identity checks are lax. Each link in that chain is a DeFi protocol that, by design, asks no questions. The speed is the tell: after the Ronin theft, the first mixer deposits landed within hours, because for the launderers the clock starts the moment the analysts start watching.[^4]

Sanctions evasion wears a quieter face. Where the Lazarus pattern is theft and flight, Russian users, since 2022, have leaned on DeFi lending: deposit ether bought for rubles into a protocol like Aave or Compound, borrow dollar-pegged stablecoins against it, and withdraw those to a private wallet—dollar-equivalent value, held outside the sanctioned banking system, having never once passed a centralized exchange’s identity check. No theft, no mixer, nothing that trips an alarm; only the ordinary machinery of DeFi turned to the purpose of stepping around a financial blockade.[^5]

Investment fraud and phantom exchanges. The second category is swindle. The classic rug pull works like this: the creators mint a token, whip up enthusiasm around it, and, once investors’ funds have flowed into the pool, drain it in a single motion and vanish. In a centralized world there would have to be an entity for the prosecutor to reach. In a supposedly decentralized one, the creators are betting they can hide behind a sentence: it wasn’t us, it was the autonomous protocol. The F.B.I. and supervisors in many countries put the losses from such schemes in the billions a year.

From the same soil grows something more cynical still: the second swindle, practiced on the victims of the first. To people who have already lost everything there appear self-styled specialists in fund recovery, promising to extract the money from the blockchain for a fee paid up front. It is another rug, pulled out from under those who have already fallen once. Anyone who has lost money in a crypto scheme should adopt an iron rule: no one credible demands payment in advance to recover your funds, and an offer to do so is, almost without exception, the second fraud.

Gambling, and trading in what may not be traded. The third category is activity that, in the bricks-and-mortar world, requires a license or is forbidden outright. Decentralized betting platforms, running without a concession and without an age check, are available wherever the internet reaches. Which returns us to Ooki DAO, where we began: the C.F.T.C.’s charge was precisely the offering of leveraged commodity transactions to retail customers without a license and without know-your-customer procedures. Leverage—trading on borrowed funds many times one’s own stake—is, for the small investor, a double-edged sword, which is why the law fences it about. The permitted leverage on decentralized exchanges can in fact exceed that of regulated ones, a point the Bank for International Settlements has noted. The protocol stripped away the fences while offering a risk greater than the supervised market’s—and called itself mere code.[^6]

The fourth category is the gravest, and here the abstractions acquire warheads. The proceeds of the Lazarus heists do not vanish into private fortunes. In the assessment of the U.N. Panel of Experts established under Security Council Resolution 1718, and of the U.S. Treasury, they help fund North Korea’s missile and nuclear programs. This is why the financing of weapons proliferation, like the financing of terror, sits at the very summit of the hierarchy of flows that states insist on being able to trace, and why a mixer that launders a bridge heist is treated not as a privacy tool but as a link in a proliferation-finance chain. A payment channel with no addressee is, in that light, not a convenience but a danger of a wholly different order from the dodging of tax on a trading gain.[^7]

The common denominator of all four is one. They are not drawn by technical decentralization as such. They are drawn by the absence of a person at the end of the trail. DeFi sells that absence as a virtue. To a prosecutor, it is a hiding place.

 

The Costume of Decentralization

Here we arrive at the heart of it. If the absence of a person paralyzes the regulator, then there arises an overwhelming temptation to stage that absence. And here runs the line that matters most to a lawyer: the line between decentralization that is real and decentralization worn like a costume. The Bank for International Settlements, the institution of the world’s central banks, gave the phenomenon its name outright—the “decentralisation illusion,” observing that virtually every DeFi platform retains some decision-making center, however hidden behind the facade of a vote.

The B.I.S. argument is subtler than it looks, and worth setting out, because it strikes at the very premise of code is law. Economics has long understood that no contract can be written to foresee every possible eventuality; that “incompleteness” is what firms resolve by appointing a decision-making center—in a company, management. In DeFi the counterpart is algorithmic incompleteness: one cannot encode in advance what to do in every unforeseen circumstance. And so every platform must have some center that responds to the unforeseen, with governance-token holders playing a role, as the B.I.S. puts it, not so far removed from that of corporate shareholders.[^8]

Sometimes the costume slips by accident, under the lights. When, in 2021, an upgrade to one of the largest lending protocols mistakenly handed out rewards worth some ninety million dollars, its founder posted publicly that there were no administrative controls or community tools that could halt the distribution. The sentence was meant to demonstrate helplessness before autonomous code. It demonstrated the opposite: the existence of a founder who speaks publicly on the protocol’s behalf, who knows its internal privileges, and who might, in principle, possess them. In conventional finance an erroneous transfer is challenged in court; here it turned out that there was, at least, someone to ask why there was no court.

The tactical pattern is nearly always the same. Take a team that builds a protocol, runs its website, draws fees from it, and holds the technical power to switch it off or alter it. In the eyes of the law that is, plainly, an enterprise providing a financial service. But the team calls into being a so-called decentralized autonomous organization, or DAO, distributes governance tokens, and from then on answers every regulator’s question with the same formula: the community decides, we are merely one voice among many, the service is rendered by autonomous code. The costume is on.

What is telling is that this maneuver is the mirror image of a strategy familiar from the study of corporate structures. There, companies are multiplied across jurisdictions to diffuse responsibility laterally. Here, it is diffused downward and outward, onto an anonymous crowd of voters, so that no one is left at the center to be pointed at. The aim, in both cases, is identical: to separate the one who takes the benefit from the one who bears the liability. And in both, the law has had to learn to look past the form to the question of who, in fact, is pulling the strings.

 

Where the Costume Tears

The good news for the legal order, and the bad news for those in costume, is that the disguise has seams. Regulators, caught off guard at first, have worked out a method that asks nothing about the philosophy of decentralization or the architecture of software. It asks about facts. The Danish supervisor, the Finanstilsynet, framed it most fully; at the level of the Union, the joint report of the European Banking Authority and ESMA, in January of 2025, did the same. From those documents emerges a list of four tell-tale signs, any one of which is enough to conclude that there is, after all, a person behind the supposedly autonomous code.

The first sign: who collects the fees. If from each transaction a drop of the stream runs off to a particular treasury or to the creators, then there is revenue—and where there is revenue there is a business, and a person who runs it. The machine on the corner turns out to have an owner, who empties the coin box every evening.

The second sign: who runs the front door. The smart contract may live on the blockchain, but the ordinary user reaches it through a website or an app. Someone maintains that site, pays for the servers, designs the buttons. That someone, in ESMA’s assessment, is providing a service, however autonomous the contract beneath. The door to the machine, after all, is one that somebody unlocks each morning.

The third sign, and the decisive one: who holds the key. This is the fact that settles matters. If there exists a technical capacity to pause, alter, or upgrade the protocol, and that capacity rests with a team or a narrow circle of people—even ones hidden behind pseudonyms and sharing a single key, a so-called multi-signature wallet—then the protocol is not autonomous. It is steered. The administrative key is proof that someone still stands beside the machine with a hand on the switch. To return to our metaphor: the one who can, at any moment, reset the kiosk’s exchange rate or shut it off is its operator, whatever he may claim to have done with the key.

The fourth sign: who writes the future. When an identifiable team decides the direction of development, ships the successive versions, audits the code, and administers the treasury, control of the protocol can be laid at its door. The community votes—but someone else sets the agenda.

These four signs are not a regulator’s wish list. They are an investigator’s field manual: where to look, and what it suffices to find, for a service that appears to belong to no one to turn out to be a service provided by a particular party. The costume of decentralization has four seams, and one is enough to unpick.

 

The Anatomy of Ooki DAO

Return, then, to the lawsuit dropped into the chat window—not a procedural curiosity but the fullest exposition we have of how the law deals with the costume. The case is worth following step by step, for it has an almost textbook structure.

The genesis, or the costume donned in real time. The protocol at issue was not born ownerless. It was built and run by an ordinary company, bZeroX LLC, belonging to two men, Tom Bean and Kyle Kistner. The company ran a website, marketed the software, solicited orders, and—this matters—collected fees; it also held what are called administrator keys, which let it halt trading, suspend it, and change the code. It was, in other words, a textbook financial intermediary. In August of 2021 the founders transferred control of the protocol to a newly minted organization, soon named Ooki DAO, and handed over those administrator keys along with it.[^9]

The court quoted the finding that matters most to our thesis: the founders, it was alleged, believed that the transition to a DAO would insulate the protocol from regulatory oversight and from accountability for compliance with United States law. There is the costume, caught in the very act of being put on. Not a description of a technology but a statement of motive. And the protocol, once changed into costume, went on operating exactly as before: the same transactions, the same fees, gathered now in a central DAO treasury.

The first defense: it’s not an entity, it’s a technology. The friends of the court—industry-aligned organizations—argued that suing a DAO is like suing the internet, or the technology itself. The court rejected the reasoning in a way worth remembering: since the C.F.T.C. could have sued bZeroX for using the keys to control the protocol, it may now sue Ooki DAO for using the very same keys to the very same end. Transferring control does not erase control; it changes only the name of the one who exercises it. That the regulator chooses to sue the organization rather than each voter individually is a litigation choice it is free to make.

The second defense: there is no person the law recognizes. And here the court reached for a structure as old as the civil law itself—the unincorporated association. The statute under which the C.F.T.C. proceeds assigns liability to any “person,” and defines the word broadly enough to include associations. California law, in turn, treats as an unincorporated association any group of two or more persons joined by mutual consent for a common, lawful purpose. Ooki DAO, the court held, fits the definition: the token holders are a group of persons; their common purpose is governing the protocol, in particular the disposition of funds from its treasury; and they act under a common name.

And here falls the blow to the very heart of the tactic, in reasoning as simple as it is inexorable. The defense had urged that different people casting different votes at different times form no common will at all. The court answered that even not voting, and voting against, are voluntary choices in service of the common purpose of governing the organization. To hold a token is to comprise the DAO, because the point of holding the token is the ability to vote. One cannot, in other words, invoke the rule of the community and in the same breath insist that the community is no one. The costume meant to protect became, itself, the proof of membership.[^10]

The core of the ruling fits in a single sentence of the court’s. Since the protocol operates in violation of federal law, then—as Judge Orrick put it—“someone must be responsible,” and fairness requires that the burden fall on the entity that governs it. Decentralization creates no lawless zone in which no one answers; at most it changes the name of the one who does.

The rest was consequence. In June of 2023 came a default judgment: an order to pay $643,542, a permanent bar on conducting that line of business without registration, and—fittingly—an order to remove from the internet the pages through which the forbidden transactions had been offered. The court found, too, the absence of the customer-identification procedures that the anti-money-laundering rules require. The machine that was supposed to have no owner received a judgment like any other operator, and it was the state that reached for its switch.[^11]

Europe arrives at the same place through a different door. If a DAO can be classed as an other undertaking within the meaning of MiCA, and if one legal order after another—from the American state of Wyoming, where a DAO has been able to register as a limited-liability company since 2021, to Switzerland—is learning to give such creatures a legal form, then the veil tears on that side of the Atlantic as well. A full analysis of the legal forms of the DAO leads to a conclusion of the kind that sounds paradoxical and is in fact a tautology: the more an organization wishes to be a real entity capable of acting, the harder it becomes for it to maintain that it is not an entity at all.

Let the data close the picture, for it is the data that expose the costume most plainly. The value locked in DeFi protocols rose from roughly fifty-four billion dollars at the start of 2024 to around a hundred and twenty-nine billion a year later, and on to a record of some two hundred and thirty-seven billion by the third quarter of 2025; the decentralized exchanges’ share of global spot trading climbed past a fifth, where in 2021 it had not reached a tenth. By March of 2026, after the swings between, the value locked stood at roughly ninety-eight billion dollars, on the Congressional Research Service’s reckoning.

The sector has matured. And yet, looked at through the four tell-tale signs, its leaders present an unambiguous picture.

Protocol What the regulator finds Factual verdict
Uniswap Site and interface run by Uniswap Labs; fees and treasury decided by token vote Partly centralized. Not “fully decentralised” on a Recital 22 reading.
PancakeSwap Upgradeable contracts; key held in the team’s multi-signature wallet Centralized. Within MiCA’s reach where operated with an EU nexus.
Hyperliquid Its own chain, with a small, initially closed set of validators Substantially centralized. Up close, it resembles an ordinary exchange.
dYdX Validators chosen by token holders; operator based in the U.S. Partly centralized. Exposure to the American regulators.

For each of the leaders, at least one sign leads back to a person. An interface fee, an upgradeable contract, a narrow set of validators, a governance-controlled treasury—any one of these, on its own, is enough to negate full decentralization. There are, on this particular street, no clean machines without an owner.

 

What Follows

Decentralization is not a fraud. It is a real technology and, in its authentic form, a real good. The difficulty is that the authentic form—a protocol that is truly no one’s, truly stripped of its key and its stream of fees—is a rarity on the market bordering on a curiosity. Far more often, decentralization is a declaration rather than a state of affairs, and the declaration performs a legal function: to push the liability away from those who take the benefit, quite tangibly, all the same.

The lesson for the regulator is that it must not ask the protocol about its philosophy. It must ask about facts: who collects the fee, who runs the front door, who holds the key, who writes the future. The lesson for the honest operator in the field is subtler, and no less important: the worst position of all is the halfway one. It marries the costs and the risks of centralization to the absence of the protection that real decentralization would confer. Whoever keeps the key is an operator, and would do better to take up the role knowingly, with a license in hand, than to play the machine until the prosecutor knocks.

And yet, in the United States, enforcement is precisely what has lately relented. Through 2025 the Treasury delisted Tornado Cash, the Justice Department stepped back from what it called regulation by prosecution, the Securities and Exchange Commission dropped its inquiry into Uniswap, and the House passed a market-structure bill—the CLARITY Act, not yet taken up by the Senate—that would carve much of DeFi, its developers, validators, liquidity pools, and decentralized exchanges, out of the registration regime by name. The retreat is real, yet notice what it concedes: if decentralized code were truly beyond the law’s reach, no statute would be needed to put it there. The very effort to legislate an exemption is an admission that, without one, the existing law would bite. Ooki proved the tools exist; the CLARITY Act would take them from the courts’ hands. The costume does not hold on its own—which is why its wearers have begun to lobby for a law to hold it up. Europe, meanwhile, travels the other way, MiCA and its supervisors leaning in where Washington leans out.

And the lesson for anyone who entrusts such protocols with his money? The same one that flows from hundreds of cases far older than crypto. Wherever someone promises a profit and assures you that an impartial mechanism, rather than a particular human being, is answerable for it all, there is, almost always, a particular human being—one who simply prefers to stay out of sight. To work out who holds the key is the first act of prudence. It is also the last resort, on the day the machine abruptly stops dispensing euros.

 

The theses developed in this article were the subject of the presentations:

 

The Decentralisation Test Under the Clarity Act and MiCA: When a Decentralised Exchange Falls Within the Regulatory Perimeter

[^1]: SEC v. W. J. Howey Co., 328 U.S. 293 (1946). The four-part test: (1) an investment of money, (2) in a common enterprise, (3) with an expectation of profit, (4) derived from the efforts of others.

[^2]: Recital 22 and Article 2(3) of Regulation (EU) 2023/1114 (MiCA). In EU drafting practice a preamble creates no freestanding obligations; here, however, its language was reproduced in the operative article, which renders the exclusion binding yet undefined.

[^3]: OFAC sanctioned Tornado Cash on August 8, 2022, citing the laundering of over $7 billion, including more than $455 million stolen by the DPRK-linked Lazarus Group. In Van Loon v. U.S. Dep’t of the Treasury (5th Cir., Nov. 26, 2024), the court held that OFAC exceeded its statutory authority in designating Tornado Cash’s immutable smart contracts, which are not “property” within the meaning of the sanctions statute. The holding turns on immutability—precisely the absence of a controlling person.

[^4]: Volume and pattern from O. Sonmez, “DeFi Protocols as Sanctions Evasion Vectors” (SSRN, 2025), § 4.1, drawing on Chainalysis, “2024 Crypto Crime Report,” and TRM Labs, “Illicit Crypto Ecosystem Report” (2024). The Ronin Bridge theft (approx. $625M, March 2022) and Horizon Bridge theft (approx. $100M, June 2022) are the most-cited Lazarus operations.

[^5]: On post-2022 Russian capital flight through DeFi lending, and on Iran’s smaller, emerging use of DeFi as a supplement to centralized stablecoin channels, see Sonmez, op. cit., §§ 4.2–4.3.

[^6]: On the higher maximum leverage available on certain decentralized venues than on regulated exchanges, see Bank for International Settlements, BIS Quarterly Review (December 2021), “DeFi risks and the decentralisation illusion,” at 30.

[^7]: The U.N. Panel of Experts reporting under UNSC Resolution 1718 (2006), together with U.S. Treasury and OFAC designations, attributes Lazarus Group cryptocurrency proceeds to the financing of DPRK weapons programs; the August 2022 Tornado Cash designation itself rested on the laundering of Ronin Bridge proceeds tied to that group.

[^8]: S. Aramonte, W. Huang, and A. Schrimpf, “DeFi risks and the decentralisation illusion,” BIS Quarterly Review (December 2021), at 21, 27–28. “Algorithm incompleteness” is the counterpart of the “incomplete contracts” of the theory of the firm (Coase, 1937; Grossman and Hart, 1986).

[^9]: CFTC v. Ooki DAO, U.S. District Court for the Northern District of California (Orrick, J.), Order of December 20, 2022 (Dkt. 63), Part I, on the allegations of the complaint; and the earlier administrative settlement against the founders, In re bZeroX, LLC; Tom Bean; Kyle Kistner, CFTC No. 22-31 (September 22, 2022).

[^10]: CFTC v. Ooki DAO (Dkt. 63), Part II; see 7 U.S.C. § 1a(38) (the definition of “person” includes associations) and Cal. Corp. Code § 18035(a) (defining an unincorporated association). The state-law test: a group sharing a common purpose, functioning under a common name in circumstances where fairness requires that it be recognized as an entity (Church Mut. Ins. Co. v. S.I., 72 Cal. App. 5th 1059).

[^11]: CFTC v. Ooki DAO, Judgment of June 8, 2023 (Dkt. 77): the sum of $643,542, a permanent injunction, and an order to remove the relevant webpages (including ooki.com); the violation included the failure to adopt a customer identification program under the Bank Secrecy Act regime (Reg. 42.2, 17 C.F.R. § 42.2).

 

Further reading

Blockchain remembers everything

Code Above Country? How North Korean Hackers Won the Tornado Cash Ruling and Why Congress Must Rewrite the Playbook

Smart Contracts Were Going to Replace Lawyers

Global Legal Frameworks for Decentralized Autonomous Organizations

Clean Bills & Dirty Money: What the SEC’s DeFi U-Turn Means for Financial Crime