In a sudden move, the U.S. Department of the Treasury declared Tornado Cash as a sanctioned entity on Monday—barring all Americans from using the service.

The move comes on the one-year anniversary of Congress’s assault on cryptocurrency via the Infrastructure Investment and Jobs Act. Across the board, critics expressed frustration at the time over how the cryptocurrency provisions in the law were far too broad—effectively labeling miners, software developers, and the like in the same category as exchange platforms. In doing so, the law set a de facto ban on legal cryptocurrency mining and exposed over 60 million Americans to new felony crimes.

However, with this latest move, it seems that the Treasury is keen on repeating Congress’s mistake with a new sweeping decision that has exposed Americans to another new felony crime. With little to no notice, the Treasury announced that Tornado Cash and a host of cryptocurrency wallet addresses were added to the Office of Foreign Assets Control’s (OFAC’s) list of specially designated nationals (SDN). To interact with the service or the wallets is now in direct violation of U.S. sanctions laws and could lead to upwards of 20 years in prison.

When Nikhilesh De reported the news early on Monday morning, he was correct to note that Tornado Cash has been a tool used by hacking groups. Its core function is to obfuscate the source of funds and is thus attractive for criminals for obvious reasons, but, this feature is not attractive for criminals alone. Financial privacy is something that is valued far beyond any one group. And as De later noted, “What makes the new sanction interesting is that Tornado Cash also has a significant amount of value that flows through it but is not associated with any illicit activities.”

Yet the Treasury’s decision is not overly sweeping solely because of the innocent bystanders that have been affected in its wake. The Treasury also appears to have failed to recognize the nature of a decentralized software protocol, which is an important consideration for regulators and policymakers alike when attempting to regulate cryptocurrency and blockchain projects. The developers of Tornado Cash made the code open source, the service non-custodial, and the governance subject to a decentralized autonomous organization (DAO). So while the Treasury may wish to really target just the bad actors, targeting software is a poor proxy for doing so. Just how poor of a proxy it is was put on display when U.S. Secretary of State Antony Blinken tweeted (and then deleted) the claim that Tornado Cash was a North Korean state-sponsored hacking group.

While someone in the State Department clearly recognized that Blinken’s tweet went too far, the administration appears unwilling to craft cryptocurrency policies that simply go directly after criminals, despite the ability to do so being readily available. For instance, a senior Treasury official said, “We do believe that this action will send a really critical message to the private sector about the risks associated with [services like Tornado Cash].” And it certainly has sent a message: Google, Github, Circle, and likely a host of others have opted to cut ties with Tornado Cash. However, it’s unlikely they did so because of the alleged criminal risks that Treasury had in mind. Rather, it seems they recognized the real risk now is engaging in an activity that the Treasury has suddenly deemed illegal.

Just as it makes no sense to ban air travel to stop criminals from crossing borders, it makes no sense to ban the technology behind Tornado Cash. If Treasury is concerned about criminals, it should go after criminals.