Post preview.

Regulators have been drawing the same line for three years straight. Not "is it crypto?" Not "does it have a privacy feature?" The line is custody. What the 2025 record actually nailed down.

Samourai Wallet's founders were sentenced in November 2025 on unlicensed money-transmission charges. The argument was not about cryptographic privacy. It was custody: they received, controlled and transmitted user funds. That was the hook the whole case hung on.

The Tornado Cash case is still live. The August 2025 split verdict turned on whether the defendants kept ongoing operational control, or wrote code and walked away. Unresolved. A retrial is expected around October 2026. Worth watching closely, not quoting prematurely.

The eXch infrastructure was seized by Germany's BKA in April 2025. The framing was operational control, KYC failures, and suspected receipt of stolen funds. Custody and control again, not the maths.

The pattern across three years is boringly consistent. Enforcement went after businesses that took custody and ran as money transmitters without registering. Not cryptographic privacy as a property. The legal hook has been custody every single time.

Husher's structure: funds go wallet, ESP one-time address, CEX liquidity, destination. Husher never holds funds. ESPs are independent and apply their own AML. A different model from the ones prosecuted. Not legal advice, and the Tornado Cash question is genuinely still open.

For builders making custody and integration decisions, one question decides cases: did you hold funds on behalf of users? The EU AMLR 2027 deadline applies to licensed CASPs, not to protocols and not to self-custody. Read the actual rule before you assume it is pointed at you.