U.S. prosecutors want Roman Storm back in court on October 5–12, 2026, but the key issue is not simply whether Tornado Cash was used for crime. The harder question is whether an open-source developer can be held criminally liable for how a non-custodial privacy tool was later used, even as the U.S. government itself acknowledges that crypto mixers have legitimate privacy functions.
What changed in the Roman Storm case
Manhattan prosecutors under U.S. Attorney Jay Clayton have asked for an early October 2026 retrial on two unresolved counts: conspiracy to commit money laundering and conspiracy to violate sanctions. Those are the charges on which the jury deadlocked in Storm’s 2025 trial.
That request comes after a split result in the first case. Storm was convicted on operating an unlicensed money transmitting business, but jurors did not reach a unanimous verdict on the more serious conspiracy counts. Prosecutors say Tornado Cash facilitated more than $1 billion in illicit funds, including transactions tied to North Korea’s Lazarus Group. Storm’s defense argues that he wrote open-source code, did not control user funds, and did not intend to assist criminal conduct.
The retrial is not fully locked in yet. Storm’s legal team has a Rule 29 motion set for argument in April 2026, seeking acquittal on legal grounds. That ruling matters because it could narrow the case, delay the schedule, or remove the need for a retrial on some issues altogether.
Why this is a developer-liability case, not just an AML case
It is easy to frame the retrial as a straightforward enforcement action against illicit finance, but that misses the central legal conflict. The dispute is over whether publishing and maintaining privacy-preserving code can itself become the basis for criminal liability when third parties later use the tool for unlawful transactions.
That distinction matters for crypto market structure because non-custodial infrastructure sits in a different category from exchanges, brokers, and payment intermediaries that actually take possession of customer assets. If prosecutors can treat protocol developers like financial operators even when they do not control funds, the compliance perimeter moves upstream from service providers to software creators.
The defense position rests on that boundary. Storm’s lawyers argue he neither handled transactions nor exercised control over Tornado Cash users. Prosecutors are trying to show that knowledge of illicit use, combined with the protocol’s operation, is enough to support conspiracy charges. The retrial will test how far that theory can go.
Policy signals are not aligned
The legal pressure on Storm is arriving alongside mixed signals from Washington. A recent U.S. Treasury report acknowledged that crypto mixers can serve legitimate purposes, including protecting personal finances, business activity, and charitable donations from public blockchain exposure. That is a meaningful admission because it rejects the idea that mixers are inherently criminal tools.
At the same time, enforcement agencies continue to emphasize the role of mixers in laundering stolen or sanctioned funds. That leaves the market with a practical contradiction: privacy technology is recognized as having lawful use cases, but developers and users still face a policy environment where those lawful uses may not provide much protection once illicit flow becomes part of the government’s case.
This is why the Storm retrial matters beyond one defendant. It is a live test of whether U.S. policy will distinguish between custodial financial intermediation and neutral privacy infrastructure, or keep collapsing those categories when politically difficult facts are present.
Where Congress and the courts may diverge
Legislative efforts are moving in a different direction from the prosecution theory. The Blockchain Regulatory Certainty Act, reintroduced in Congress, seeks to protect non-custodial developers from being treated as money transmitters when they do not control customer funds. Supporters see that as a direct response to cases like Storm’s.
If that approach gains traction, it would create a clearer line for builders: control of assets would matter more than mere involvement in software development. But until Congress changes the law or courts adopt a narrower reading of existing statutes, prosecutors can still test broader theories through litigation.
| Issue | Current prosecution posture | Emerging policy counterpoint |
|---|---|---|
| Developer role | Open-source development can still be tied to criminal conspiracy allegations | Non-custodial developers should not automatically be treated like money transmitters |
| Mixers | Emphasis on laundering and sanctions evasion risk | Treasury acknowledges legitimate privacy uses |
| Control of funds | Not necessarily treated as the decisive threshold in this case | Legislative proposals would make lack of custody a stronger shield |
| Regulatory method | Litigation is being used to define boundaries | Critics argue rules should be clarified by statute, not stretched through prosecutions |
The next checkpoint is April 2026, not October
The October 5–12, 2026 retrial window is the headline date, but the more immediate checkpoint is the April 2026 hearing on Storm’s Rule 29 motion. If the court grants relief on legal grounds, the retrial could be narrowed, postponed, or disrupted entirely. If the motion fails, prosecutors will have a clearer path to retry the deadlocked counts over roughly three weeks.
For crypto investors and builders, the signal to watch is not day-to-day rhetoric around privacy tools. It is whether the court accepts a theory that non-custodial software development can support money laundering and sanctions conspiracy charges without direct control over user transactions. That would affect how infrastructure projects assess legal risk, where teams choose to build, and how liquidity migrates between more transparent and more privacy-preserving parts of the market.
In that sense, the Storm retrial is less about one protocol’s reputation than about whether U.S. law will treat privacy infrastructure as a regulated financial actor by default. April is the first point where that boundary may become clearer.
About the Author
