The Treasury Department has banned all Americans from using decentralized crypto-mixing service Tornado Cash.
The Office of Foreign Assets Control (OFAC), a watchdog agency tasked with preventing sanctions violations, on Monday added Tornado Cash to its Specially Designated Nationals list, a running tally of blacklisted people, entities and cryptocurrency addresses. As a result, all U.S. persons and entities are prohibited from interacting with Tornado Cash or any of the Ethereum wallet addresses tied to the protocol. Those who do may face criminal penalties.
Tornado Cash has been a key tool for the Lazarus Group, a North Korean hacking group tied to the $625 million March hack of Axie Infinity’s Ronin Network, according to the Treasury Department. Blockchain analysis showed that tens of millions of dollars’ worth of crypto stolen from Ronin flowed through Tornado Cash, which is designed to obfuscate the source of funds. OFAC previously sanctioned Blender.io, another mixing service that the Treasury Department alleged was used to launder proceeds from ransomware attacks, as well as about $20.5 million in crypto stolen from Ronin.
“Tornado Cash has been the go-to mixer for cybercriminals looking to launder the proceeds of crime, as well as helping to enable hackers, including those currently under U.S. sanctions, to launder the proceeds of their cybercrimes by covering up the origin and transfer of this illicit virtual currency,” a senior department official said. “Since its creation back in 2019, Tornado Cash has reportedly laundered more than $7 billion worth of virtual currency.”
Ari Redbord, head of legal and government affairs at analytics firm TRM Labs, told CoinDesk that the move is the Treasury Department’s “largest, most impactful action” in crypto to date.
According to data from blockchain analytics firm Nansen, ether (ETH) deposits on Tornado Cash spiked after Ronin was hacked earlier this year.
The average amount of ETH deposited on Tornado Cash eclipsed 220,000 in May and June 2022, according to Nansen. This total was worth $220 billion to $660 billion during that range, data from CoinGecko shows.
Overall, some 18% of the total amount of ETH flowing through Tornado Cash in recent months – 167,400 ETH – came from the Ronin hack, according to Nansen.
Proceeds from other hacks have also traveled through Tornado Cash, according to blockchain analysis from groups like Elliptic: Roughly 4,600 ETH (worth around $15 million at the time) stolen from crypto-exchange Crypto.com was laundered through the mixing service earlier this year. Proceeds from the $100 million hack of the Harmony bridge were laundered through Tornado Cash, and even proceeds from this month’s $200 million hack of the Nomad bridge moved through the service.
Redbord said the sanctioning of Blender.io, which is smaller than Tornado Cash, could be seen as a “preview” of Monday’s action, where OFAC may have hinted that entities allegedly laundering for criminals or such nations as North Korea may be in danger of violating sanctions.
“When you talk about North Korea in particular, Tornado Cash has been the go-to mixing service,” Redbord said. “What OFAC is saying is, ‘These hacks are more than hacks; they’re serious national security risks.’ It’s not just money laundering – it’s money laundering that’s going to be used for weapons proliferation.”
What makes the new sanction interesting is that Tornado Cash also has a significant amount of value that flows through it but is not associated with any illicit activities.
Adding the mixer to the sanctions list means all U.S. persons are responsible for ensuring they do not interact with crypto transacted through the service.
“I think what we’re seeing here from Treasury is, ‘If you are going to allow a lot of illicit activity, we are going to go after you even if there is a lot of legitimate activity,’” Redbord said.
Indeed, the U.S. government has spent years warning that crypto mixers may be illegal or aid in illegal activity. Earlier this year, Alessio Evangelista, former Financial Crimes Enforcement Network (FinCEN) associate director for enforcement, told the industry that crypto-service providers should be proactive in blocking transactions from “problematic” wallets, rather than wait for an OFAC designation.
Sanctions may not halt Tornado Cash itself from operating. Co-founder Roman Semenov previously told CoinDesk the privacy service was designed to operate without centralized control. While he and his team write and publish code, a decentralized autonomous organization (DAO) has to approve any changes before they are made.
“The protocol was specifically designed this way to be unstoppable, because it wouldn’t make much sense if some third party [such as a developer] would have control over it. This would be the same as if someone had control over Bitcoin or Ethereum,” he told CoinDesk at the time.
The developers went so far as to make open source its entire user interface, allowing anyone to weigh in on the code or the mixer’s design.
Depositing funds into Tornado Cash places them into a “pool” of other users’ tokens. From here, users can withdraw their funds to another address while concealing where they came from originally.
Tornado Cash says it is non-custodial, meaning users maintain complete control of their funds at all times – even if those funds are technically in one of Tornado’s pools.
Semenov previously told Bloomberg News that it would be “technically impossible” for sanctions to be applied to protocols like Tornado.
The senior Treasury Department official said during a press call that the agency would continue monitoring mixers, and could take further action if Tornado Cash continues as is.
“Since we sanctioned virtual currency mixer Blender.io, we have not seen evidence to suggest that it has remained active post that designation,” the official said. “We do believe that this action will send a really critical message to the private sector about the risks associated with mixers writ large, which obviously is designed to inhibit Tornado Cash or any sort of reconstituted versions of it to continue to operate.”
In Monday’s action OFAC sanctioned Tornado Cash’s donation address, proxy address, a Gitcoin grants address and several others, including a few USDC addresses. More than 40 addresses in total were put on the sanctions list.
Circle blacklisted the sanctioned Tornado addresses, freezing over $75,000 worth of USDC, later Monday.
UPDATE (Aug. 8, 2022, 15:00 UTC): Updated with additional context.
UPDATE (Aug. 8, 2022, 19:05 UTC): Adds USDC blacklisting.