Keonne Rodriguez has entered a US federal penitentiary. Five years. His crime: writing a non-custodial Bitcoin wallet with Whirlpool.
He never touched user funds. He didn't hold the keys. The code was open source. Yet the Department of Justice prosecuted him for "unlicensed money transmitting" under Section 1960 - a charge that requires no proof of intent, no complicity with crimes, no custody of others' funds. His associate William Lonergan Hill got four years.
Running parallel is Roman Storm, co-founder of Tornado Cash - a non-custodial mixer on Ethereum. Arrested in August 2023. A four-week trial in the Southern District of New York. Verdict on August 6, 2025: the jury failed to reach agreement on the two heavy counts (money laundering, violating North Korea sanctions), but convicted him on § 1960. Same charge, same pattern. If the motion for acquittal filed by the defense is denied, Storm faces a retrial in October 2026 with total exposure approaching forty-five years.
Too bad that back in 2019 FinCEN had explicitly written: anyone who develops non-custodial peer-to-peer software without controlling user funds is not a money transmitter. In April 2025, Deputy Attorney General Todd Blanche issued an internal memo: stop regulatory prosecutions against developers of non-custodial software.
The verdict against Storm came in August 2025. Four months after the Blanche memo. Prosecutors in the Southern District of New York pushed for conviction anyway. In March 2026 they sought a new trial on the other two counts, with the opposite directive written in black and white by DOJ leadership.
If the interpretation of § 1960 applied to Storm holds up on appeal, the perimeter is this: any American developer of wallets, coinjoins, or Lightning Service Providers becomes a potential defendant. The menu is already written. Plead and take four or five years. Fight and risk forty-five.
Code is on trial, whatever the paid feds in Las Vegas may say.
quoting
naddr1qq…rf20Sponsored announcement
With Debifi you have access to immediate fiat liquidity without giving up your bitcoin.
Debifi is a Bitcoin-only and non-custodial lending platform. You deposit your bitcoin as collateral in a 3-of-4 multisig escrow: the keys are distributed between you, the lender, an authorized key holder, and Debifi. 3 of 4 signatures are required to move the funds - no one can touch your bitcoin unilaterally.
The code is open source: you can verify everything.
Forget the nightmare of 33% capital gains tax from selling bitcoin: a loan is not a taxable event!
Choose the duration of the loan, the LTV (the share of bitcoin you commit compared to what you receive in fiat) and receive the loan in euros, dollars, or stablecoins. Debifi, never sell your bitcoin again!
Request your first loan here: https://debifi.com
————————
When Keonne Rodriguez walked through the gates of the federal penitentiary, the news covered it for an afternoon. Dry headlines, a few indignant tweets, then silence. Yet that day is probably the most important in recent years for anyone concerned with privacy, because it certified one thing: in the United States of America, writing non-custodial software for Bitcoin can land you in prison.
Rodriguez and his partner William Lonergan Hill, the two developers of Samourai Wallet, had pleaded guilty in July 2025. In exchange for five years (four for Hill, who received a reduction for age and an autism diagnosis), the Department of Justice agreed to drop the heaviest charge, that of conspiracy to launder money, which carried a maximum of twenty years.
Rodriguez chose to plead guilty. In a parallel story, but inextricably linked to the Samourai case, Roman Storm, co-founder of Tornado Cash, chose to fight.
Roman Storm was arrested in August 2023, charged along with co-founder Roman Semenov (still a fugitive) with three counts: conspiracy to launder money, conspiracy to violate sanctions against North Korea (essentially: Lazarus Group used Tornado Cash to launder stolen Ether), and conspiracy to operate an unlicensed money transmitting business. Four years of investigation, a four-week trial in the Southern District of New York, and then the verdict of August 6, 2025.
The jury agreed on only one of the three counts: the apparently more technical one of unlicensed money transmitting. On the other two, the heaviest ones, no consensus. The jury didn't feel comfortable establishing a direct connection between the code written by Storm and the deliberate intent to facilitate crime. But on the lesser count - which doesn't require any proof of complicity with crime itself - the conviction came.
Storm is free on bail, awaiting sentencing. In October 2025, his defense filed a motion for acquittal, asking the judge to overturn the conviction for insufficient evidence. Last April 9, 2026, the oral argument was held in court before Judge Katherine Polk Failla. According to those who attended the hearing, the Government still doesn't understand the technology and the judge asked detailed questions without revealing her inclination. If the motion is granted, the Government will have to decide whether to appeal or let it go. If rejected, Storm will go to judgment on the count for which he has already been convicted (he faces up to five years in prison) and will face a retrial on the two unresolved counts in October 2026, with a total exposure approaching forty-five years.
But let's return to the lesser count. Because that's where the real game is being played.
It's called Section 1960: conspiracy to operate an unlicensed money transmitting business.
Now, the interesting thing is that to convict someone under this count, you don't need to prove that the money transmitted is the proceeds of crime. You don't need to prove that the defendant helped terrorists, drug traffickers, or sanctioned countries. You don't need to prove specific intent. You just need to prove that they operated a business that, according to the DOJ's interpretation, transmits money, and that they didn't have a license to do so.
The problem - and this is why the Storm case matters - is that Tornado Cash is non-custodial software. Storm never had access to users' funds. The software was open source and allowed users to mix their own transactions. No one, not even Storm, had the power to block or send others' funds.
Yet, according to the New York jury, this is operating a money transmitting business. Writing and maintaining the code, managing the frontend, advertising it. All of this - in the DOJ's winning interpretation - transforms a developer into an operator of unauthorized financial services. You don't need users' funds. You don't need custody. You need the code.
If this interpretation holds on appeal, any American developer of wallets, coinjoin, Lightning Service Providers, Fedimint, or Cashu becomes a potential defendant.
That this is not an isolated interpretation is demonstrated by the story of Rodriguez and Hill. The two co-founders of Samourai Wallet were arrested in April 2024, with charges substantially identical to those of Storm: conspiracy to launder money, conspiracy to operate an unlicensed money transmitting business. Samourai was a non-custodial Bitcoin wallet with advanced privacy features (Whirlpool for coinjoin). Like Tornado Cash, it didn't custody users' keys.
In July 2025, Rodriguez and Hill chose to plead guilty. They accepted the conviction on count § 1960 - the same one now hanging over Storm - in exchange for dropping the money laundering charge.
The result is what the Southern District of New York sanctioned in November: five years for Rodriguez plus a $250,000 fine, four years for Hill. Plus the seizure of samouraiwallet.com, the app on the Google Play Store, and over six million dollars. The developer loses freedom, the domain, the app, the money. The technical legacy is erased.
At this point, the DOJ's menu is written in black and white: if you're an American developer of non-custodial software with privacy features, and the Government decides that what you wrote "transmits money," you have two options. Plead guilty on § 1960 and get four or five years. Fight on all fronts and risk getting forty-five.
Storm chose the second path, and it's precisely the choice that makes his trial an existential test for the open source developer community.
Yet until a few years ago, it seemed that the American legal framework offered protection to developers. In May 2019, the Financial Crimes Enforcement Network (FinCEN, the Treasury agency that handles anti-money laundering) had published an explicit interpretive guidance: software providers that enable peer-to-peer transactions without ever having control of funds are not money transmitters under federal regulations. In essence: a non-custodial wallet is not a bank and those who develop it are not financial service operators.
In April 2025, Deputy Attorney General Todd Blanche issued an internal DOJ memo that went in the same direction: stop regulatory prosecutions against non-custodial software developers, prioritize protecting victims, not extending criminal jurisdiction over code.
Here's the thing. The Storm jury rendered its verdict in August 2025 - four months after the Blanche memo. Prosecutors in the Southern District of New York pushed for conviction anyway. And in March 2026, they requested a new trial on the other two counts, despite having - formally, in writing, from the very top of the DOJ - the opposite directive. You be the judge of what matters more: headquarters' policy, or the will of an individual Manhattan prosecutor to bring home a scalp?
Why did the Storm jury deadlock on the two serious counts (money laundering and sanctions), while Rodriguez and Hill felt they had no choice but to plead guilty?
The answer lies in the Samourai court documents. In the sentencing, prosecutors filed a catalog of public and private communications from the two founders. In July 2020, after a Twitter user had suggested to some hackers that they use Whirlpool to launder the proceeds of their attack, Rodriguez intervened in the thread personally encouraging those hackers to send their illicit funds into Samourai's mixer. When the hackers chose a competing mixer, Rodriguez and Hill publicly complained on social media.
From the @SamouraiWallet account came a tweet that said, verbatim, "Welcome new Russian oligarch Samourai Wallet users." On a darknet channel, Hill wrote that Samourai Whirlpool was "a much better option" for "cleaning dirty BTC" compared to a competing service.
Now. Any criminal defense attorney, faced with evidence of this type, knows that the only way out is a quick plea deal. Because the money laundering conspiracy charge requires exactly that: awareness that the funds being handled have criminal origins. And Rodriguez had put it in writing, on Twitter, in front of the world. A prosecutor doesn't need to be particularly brilliant to bring a tweet like that before a jury and win.
Storm, simply, hadn't done the same. Tornado Cash had been built and communicated in the language of an open source project, not as a manifesto in the face of federal agencies. There were mistakes - some ambiguous public statements, a frontend maintained after Lazarus Group had become a well-known problem - but nothing comparable to the Rodriguez and Hill repertoire. And in fact, on the counts that required proof of specific intent, the jury deadlocked. It didn't acquit, but it didn't convict either.
This is the point. It's not that Samourai's code was more guilty than Tornado Cash's. It was identical in its non-custodial nature. What changed, in the two courtrooms, is the amount of ammunition the developers had put in the prosecutor's hands before the prosecutor even arrived.
The lesson for those writing privacy software in 2026 is therefore not stop writing. It's another one, less romantic but much more useful. Open source code for financial privacy should be published as the cypherpunks have always done: pseudonyms, sobriety, zero public rhetoric about how and by whom the software is used. That model still works. In fact, after Samourai and Storm, it's the only one that works.
A well-written privacy tool doesn't need a founder defending it publicly, nor a Twitter account taking pleasure in criminal clients. It needs to be verifiable, reproducible, and to survive its authors.
—————————
Sponsored announcement
Prague, June 11-13: the most important European Bitcoin conference arrives at its fourth edition. Jeff Booth, Jack Mallers, Michael Saylor, Peter McCormack and many others, check the list of all speakers here.
Buy your ticket now for the event of the year, do it with the code BTCTRAIN to get a 10% discount. I'll obviously be there too, see you in Prague!
When you ask me where to buy bitcoin, my first answer is always the peer-to-peer market: Bisq, HodlHodl, Robosats. But I know not everyone wants to use these services. If you're looking for an immediate service but compatible with Bitcoin's original values, my choice today is Bull Bitcoin. By signing up with the code "federico" you get a reduced spread of 1.75% instead of 2%, forever. You can do it from here.
Non-custodial, supports Bitcoin on-chain, Lightning, and Liquid. And you can also spend your bitcoin to pay any IBAN in euros, without going through a bank.
KYC data is on self-hosted infrastructure, not shared with tax agencies, governments, or third parties. And they will continue not to collaborate until someone shows up with a court order in hand. It's the only service in Europe I can say this about with certainty.