Crypto-mixing service, Tornado Cash, blacklisted in the United States
The United States Treasury Department has announced today that it has banned American citizens from using Tornado Cash, a famous decentralized crypto-mixing service, in which one of its features so renders crypto tokens untraceable.
Today, the Office of Foreign Assets Control (OFAC), a watchdog agency tasked with preventing sanctions violations, added Tornado Cash to its Specially Designated Nationals list, a running tally of blacklisted people, entities and cryptocurrency addresses.
Due to this addition, all U.S. persons and entities are prohibited from interacting with Tornado Cash or any of the Ethereum wallet addresses tied to the protocol. Those who do may face criminal penalties.
What you should know
- Tornado Cash is a decentralized, non-custodial privacy solution built on Ethereum. It improves transaction privacy by breaking the on-chain link between the recipient and destination addresses. Tornado Cash uses a smart contract that accepts ETH and ERC-20 deposits. These deposits can be withdrawn by any on-chain address. Whenever an asset is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring asset privacy.
- The platform has been a key tool for the Lazarus Group, a North Korean hacking group tied to the $625 million March hack of Axie Infinity’s Ronin Network, according to the Treasury Department.
- Blockchain analysis showed that tens of millions of dollars’ worth of crypto stolen from Ronin flowed through Tornado Cash, which is designed to obfuscate the source of funds. OFAC previously sanctioned Blender.io, another mixing service that the Treasury Department alleged was used to launder proceeds from ransomware attacks, as well as about $20.5 million in crypto stolen from Ronin.
- A senior department official stated, “Tornado Cash has been the go-to mixer for cybercriminals looking to launder the proceeds of crime, as well as helping to enable hackers, including those currently under U.S. sanctions, to launder the proceeds of their cybercrimes by covering up the origin and transfer of this illicit virtual currency. Since its creation back in 2019, Tornado Cash has reportedly laundered more than $7 billion worth of virtual currency.”
- The Ronin hackers have repeatedly laundered Ronin proceeds through Tornado Cash, according to on-chain data analyses, even after OFAC sanctioned an Ethereum address tied to Lazarus Group it alleged was related to the hack. According to data from blockchain analytics firm Nansen, ether (ETH) deposits on Tornado Cash spiked after Ronin was hacked earlier this year.
- The OFAC also placed 44 USD Coin (USDC) and Ether (ETH) addresses connected to the mixer on its list of Specially Designated Nationals.
- The average amount of ETH deposited on Tornado Cash eclipsed 220,000 in May and June 2022, according to Nansen. This total was worth $220 billion to $660 billion during that range, data from CoinGecko shows.
- Overall, some 18% of the total amount of ETH flowing through Tornado Cash in recent months – 167,400 ETH – came from the Ronin hack, according to Nansen.
- Proceeds from other hacks have also traveled through Tornado Cash, according to blockchain analysis from groups like Elliptic: Roughly 4,600 ETH (worth around $15 million at the time) stolen from crypto-exchange Crypto.com was laundered through the mixing service earlier this year. Proceeds from the $100 million hack of the Harmony bridge were laundered through Tornado Cash, and even proceeds from this month’s $200 million hack of the Nomad bridge moved through the service.
Tornado Cash announced in July that it had fully open-sourced its user interface code as part of its goals toward complete decentralization and transparency. The mixer’s website included a compliance tool that allowed users to show the source of any transaction.
Sanctions may not halt Tornado Cash itself from operating. Co-founder Roman Semenov stated that the privacy service was designed to operate without centralized control. While he and his team write and publish code, a decentralized autonomous organization (DAO) has to approve any changes before they are made.