In a speech last month at the inaugural American Innovation Project (AIP) Summit, U.S. Department of Justice (DOJ) acting assistant attorney general, and head of the DOJ’s Criminal Division, Matthew R. Galeotti described a refined DOJ enforcement approach to illicit finance risks at decentralized finance (DeFi) protocols and other emerging noncustodial crypto platforms. Galeotti also addressed if, how, and when the DOJ would use the unlicensed money transmission statute, 18 U.S.C. § 1960, against developers in DeFi. Read together with the Trump Administration’s prior guidance on DOJ enforcement in the crypto space, Galeotti’s remarks reveal a number of issues that founders and developers in DeFi should be attuned to in order to minimize their DOJ enforcement risk.
Key Points
Criminal enforcement will not substitute for regulatory clarity
Galeotti echoed the April 7, 2025 “Ending Regulation by Prosecution” memorandum from Deputy Attorney General Todd Blanche, reaffirming that the DOJ “will not use indictments as a lawmaking tool.”
“Writing code without ill intent is not a crime”
According to Galeotti, the DOJ accepts the premise that writing or contributing to code, by itself, is not a crime. Prosecutors investigating misconduct in DeFi must focus on an actor’s specific intent. Anyone, including DeFi developers, knowingly participating in a criminal scheme or purposefully aiding one will face prosecution.
Narrowing the scope of what constitutes unlicensed money transmission in DeFi
The April 2025 Blanche memo directed prosecutors not to charge licensing and registration cases under Section 1960(b)(1)(A) & (B) and focused them instead on actors who knowingly transmit criminally derived funds in violation of Section 1960(b)(1)(C). Galeotti further refined that approach for those in DeFi, explaining that for developers making truly decentralized, noncustodial software that automates peer-to-peer transfers, “new 1960(b)(1)(C) charges … will not be approved.” However, he noted that even in a fully decentralized context, developers acting with criminal intent may still face other criminal charges.
DOJ Criminal Division will prioritize crypto cases with individual harm
Consistent with his white-collar enforcement priorities announced in May 2025, Galeotti underscored that for crypto markets, the DOJ Criminal Division’s enforcement efforts will continue to prioritize cases with direct individual harm, including those involving crypto investment fraud, smart contract exploits, and misappropriation of client crypto on centralized exchanges.
Prior Guidance & DOJ Enforcement Efforts
Since President Donald Trump’s inauguration, the U.S. government’s regulatory approach to crypto has changed dramatically, including at the DOJ. In his April 2025 memorandum to all DOJ employees, Blanche announced that the DOJ was ending crypto “regulation by prosecution,” committing that the DOJ would “no longer pursue litigation or enforcement actions that have the effect of superimposing regulatory frameworks on digital assets.” The April 2025 memo outlined the DOJ’s enforcement priorities in crypto, refocusing efforts on misconduct that harms investors or facilitates transnational criminal activity. In that memo, the DOJ recognized a distinction between digital asset platforms and “the acts of their end users” and announced that the DOJ would not target digital asset platforms simply because criminal groups may use those platforms to conduct their illegal activities.
The April 2025 memo specifically addressed prosecutors’ use of Section 1960 to investigate and prosecute digital asset cases. Blanche narrowed prosecutors’ ability to charge digital asset market participants with failure to register or license a money transmitting business in violation of Section 1960(b)(1)(A) & (B), prohibiting those charges unless prosecutors had evidence that the actor knew of the licensing or registration requirement and willfully violated it. At the same time, the memo carved out Section 1960(b)(1)(C) violations, explaining that because it required proof that someone transmitted funds they knew were criminal or did so to promote criminal activity, that provision was “outside the scope of this policy.”
Notably, the April 2025 memo was issued shortly before trial in the closely watched United States v. Storm prosecution, in which the DOJ charged Roman Storm, a developer of the DeFi mixer Tornado Cash, with conspiring to operate an unlicensed money transmitting business in violation of Section 1960. In Storm, the government alleged that, with Storm’s awareness and help, criminals and sanctioned actors used Tornado Cash to move untraceable millions in crypto across the internet. But as Storm and others from the DeFi community argued to the court throughout the case, whatever third parties did with Tornado Cash, because it was noncustodial and immutable software that Storm could not control, Section 1960 charges did not apply.
Just two months before the Storm trial, in line with the April 2025 memo, the DOJ announced that it was dropping its Section 1960(b)(1)(B) theory but proceeding to trial under Section 1960(b)(1)(C). In August 2025, after a month-long trial that featured extensive arguments about the ability of a developer to control fully decentralized, immutable software, in a mixed verdict, the jury convicted Storm of conspiring to violate Section 1960.
Galeotti’s Remarks & Key Points
Galeotti’s August 21, 2025 remarks came just weeks after the DOJ secured the Section 1960 conviction in Storm. While he did not address that case expressly, his remarks specifically addressed the question DeFi developers have raised both before and after the result in Storm: if developers of a fully decentralized protocol could not control how that protocol was used, would regulators still hold the developers responsible for what third parties did with their product?
Building on the April 2025 memo, several key points emerged from Galeotti’s remarks:
- True decentralization mitigates Section 1960 enforcement risk. In the clearest terms delivered by the DOJ to date, Galeotti explained that if a DeFi protocol or piece of software is genuinely decentralized, solely automates peer-to-peer transactions, and has no custody or control over user assets, Section 1960(b)(1)(C) charges against developers “will not be approved.” In announcing that more direct limitation on Section 1960 prosecutions involving DeFi, Galeotti noted that many DeFi developers relied on prior regulatory guidance on noncustodial software and money transmission, a likely reference to FinCEN’s 2019 guidance on decentralized applications. Although that regulatory guidance does not bind the DOJ, Galeotti made clear that it should factor into a prosecutor’s charging decisions, and it supported his announced limitation on any future Section 1960(b)(1)(C) charges.
- Writing code alone is not a crime; knowledge and intent are essential. Galeotti’s remarks underscored that the DOJ’s enforcement approach to DeFi is rooted in the principle that criminal liability hinges on knowledge and intent. He stated unequivocally, “merely writing code without ill intent is not a crime,” affirming that innovation and the development of decentralized tools should not, in themselves, invite prosecution. Instead, the DOJ’s focus is on actors who “knowingly commit crimes or who aid and abet the commission of crimes.” Galeotti emphasized that under federal criminal laws, specific intent is required for aiding and abetting or conspiracy charges: “if a developer merely contributes code to an open-source project, without the specific intent to assist criminal conduct, aid or abet a crime, or join a criminal conspiracy, [they are] not criminally liable.”
- The DOJ may pursue developers that facilitate criminal activity using other statutes. Although developers that create neutral, noncustodial tools without criminal intent may avoid Section 1960 liability for third-party misuse of those tools, Galeotti made it clear that criminal charges may still be appropriate for developers that act with criminal intent. This means that for a DeFi developer that knowingly facilitates a crime over a fully decentralized protocol, such as money laundering (18 U.S.C. § 1956), unlawful monetary transactions (18 U.S.C. § 1957), or interstate transportation of stolen property (18 U.S.C. § 2314), the DOJ could use the underlying criminal statutes to charge the developer for its role in the scheme even if Section 1960 charges would not apply.
- The DOJ’s focus remains on bad actors in the crypto markets causing individual harm. The DOJ enforcement efforts will continue to focus on cases involving investor harm, fraud, and misappropriation of assets, not those involving lawful or innovative developers. Galeotti described the DOJ’s role as “root[ing] out bad actors” from the cryptocurrency markets, safeguarding them by aggressively pursuing those who engage in fraud, misappropriation, smart contract exploits, and other abuses.
Takeaways for DeFi Founders and Developers
Given the complexity and array of DeFi use cases and applications, the DOJ is unlikely to have a one-size-fits-all enforcement approach to misconduct occurring across DeFi. But there are a number of ways founders and developers in DeFi can be proactive to mitigate the risk their platforms and protocols will come under DOJ scrutiny.
- Assess and Pursue Robust Decentralization. Developers should critically evaluate how decentralized their protocols truly are. The DOJ’s recent remarks indicate that genuinely immutable and self-executing protocols that avoid ongoing human intervention will strongly mitigate the risk of an enforcement action based on third parties’ use of the protocol. However, if control is retained, even in limited ways, regulatory risk increases and developers may have increased compliance obligations. Theoretical decentralization will not be enough when, in practice, control over key features remain with developers or other insiders.
- Conduct Illicit Finance Risk Assessments. Even when pursuing robust decentralization, as developers deploy new use cases for their DeFi products, they should thoroughly assess how those uses could facilitate, or be viewed after the fact as having facilitated, illicit finance activities. A risk assessment should consider the nature of the DeFi platform, the particular use case and the types of transactions it enables, and the data available to developers about those transactions, including its users’ wallet addresses, geographic locations, and transaction amounts.
- Take Reasonable Steps to Mitigate Known Risks. Even in highly decentralized systems, if developers retain some degree of control or influence, such as managing web interfaces, front-end applications, upgrades, oracles, or other gateways for the protocol, they must assess whether there are reasonable proactive measures that could be taken to prevent, detect, and mitigate illicit activity. Failing to act when control exists could subject developers to regulatory scrutiny. As in traditional finance, steps designed to mitigate illicit finance risk must be tailored to the platform and its use case.
- Have a Clear Plan for Promptly Responding to Identified Illicit Activity. Ignoring evidence of criminal activity occurring over a platform is not an option. Regardless of a DeFi platform’s decentralization, the DOJ will closely scrutinize any of its developers or insiders that knew of illicit financial transactions and did nothing. Even when information about problematic transactions is learned after the fact, the DOJ may scrutinize what happened next internally. As a result, founders and developers should craft an internal plan for escalating and responding to known issues and as appropriate update terms of service for its front ends and other user interfaces.
If you have any questions, or would like additional information, please contact one of the attorneys on our White Collar, Government & Internal Investigations team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.