.png){kind=small}
Tornado Cash, one of the most widely used coin-mixing applications, was sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on August 8, 2022, for allegedly helping North Korean hackers launder billions of dollars of user’s funds. With this, the US government has now prohibited the use of Tornado Cash and has barred all US citizens and businesses from making any further interaction with the protocol.
Since its inception in 2019, Tornado Cash is estimated to be used for laundering more than $7 billion dollars worth of digital assets. The laundered assets include over $450 million stolen by North Korea based 'Lazarus Group' that was sanctioned by the US government in 2019.
According to the U.S. Treasury's official press release, "Tornado Cash was subsequently used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 Harmony Bridge Heist, and at least $7.8 million from the August 2, 2022, Nomad Heist."
According to Merkle Science’s analysis,
<a href="#"><img alt="Dashboard 1 " src="https://public.tableau.com/static/images/To/TornadoCash2022/Dashboard1/1_rss.png" style="border: none"></a>
<a href="‘#’"><img alt="‘Dashboard" 1="" ’="" src="‘https://public.tableau.com/static/images/To/TornadoCash2022/Dashboard1/1_rss.png’" style="‘border:" none’=""></a>
From February 2021, Tornado Cash consistently had a monthly deposit of more than $600 million, while April 2022 has seen the highest number of deposits (around $1.45 billion).
It was further stated that "Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. The US Treasury Department will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them”.
This is the first time in history that a piece of code is sanctioned by the OFAC, though coin mixers like Blender.io have already been a part of the sanctioned list before.
The US Treasury has also added 45 Ethereum and USD Coin (USDC) addresses associated with Tornado Cash to its Specially Designated Nationals and Blocked Person (SDN) list.
Cyber Sanctions (Executive Order 13694) was issued by the U.S. government on April 1st, 2015. This authorized the imposition of sanctions on individuals and entities which are determined to be responsible for or are guilty of enabling malicious cyber activities that may be a significant threat to the nation's security and stability.
(Find out more about cyber sanctions here)
The treasury defines the 'Specially Designated Nationals and Blocked Person list' as a list of "individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries.” It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called "Specially Designated Nationals" or "SDNs." Their assets are blocked and U.S. persons are generally prohibited from dealing with them."
The common narrative surrounding the anonymity of crypto transactions is not entirely true, in reality activities on the blockchain, especially public blockchains like Bitcoin and Ethereum are more pseudonymous. Though it is true that in cryptocurrency transactions, parties can transact between themselves without revealing their identities and involving intermediaries, this isn’t true anonymity. These transactions are visible and accessible on the public blockchain.
Blockchain technology enables us to carry out transactions in a decentralized and transparent manner, but such degrees of transparency in financial matters may result in a decreased anonymity of users in addition to increasing the risk of vulnerabilities on-chain.
This problem was solved by the introduction of coin mixing technologies into the cryptocurrency ecosystem that enhance user privacy by making transactions untraceable. Mixers and tumblers are cryptographic facilities or services that mix different streams of potentially traceable cryptocurrencies, concealing the trail leading back to the fund’s original source. Essentially, cryptocurrency owners use mixing & tumbling services to mix their coins with others in order to obfuscate transaction history and maintain privacy.
Tornado Cash is an open-source, non-custodial, decentralized cryptocurrency mixer that runs on the Ethereum blockchain. It is a privacy tool that mixes potentially identifiable cryptocurrencies together in a liquidity pool so as to obscure all traces of the wallet’s prior transactions.
Tornado Cash carries out the process of obfuscation with the help of Smart Contracts that enable
To ensure that the right amount of funds reach the right owners at the time of withdrawal and only the deposited amount of tokens are sent to a user’s wallet, Tornado Cash sends a secret hash to each user. The protocol recommends users to store this hash carefully, the loss of which may lead to the denial of all withdrawal requests made by them.
After making a withdrawal request, the users are required to prove the ownership of the assets claimed by them. For this, they need to enter the private key generated by the protocol at the time of deposit along with the deposit note. Once verified by the protocol’s code, the user is allowed to withdraw the deposited amount through one or more addresses.
Mixing platforms like Tornado Cash can help malicious actors disguise their funds by obfuscating the transaction history of their assets. This makes it difficult to trace the connection of funds or wallets to malicious activities and helps them get away with a large amount of illegally acquired assets.
For instance, in 2021, a large number of hackers used mixers and tumblers to evade detection.
In the BitMart Hack, exploiters stole $150 million worth of tokens from ETH and Binance Smart Chain (BSC) hot wallets. The hackers swapped the stolen tokens by using '1inch' — a decentralized exchange aggregator — and then used Tornado Cash to mix the funds, allowing them to hide all their previous transactions by mixing the coins in the protocol's liquidity pool.
According to the OFAC, Lazarus Group used Tornado Cash to launder circa $450 million. In fact, Tornado Cash has been at the center of multiple recent hacks including the Ronin bridge attack, Harmony bridge exploit, Nomad heist, Beanstalk flash loan attack, and many more.
According to Merkle Science's analysis,
The OFAC sanctions on Tornado Cash state that:
In order to apply for a specific license to complete a transaction or withdraw virtual currency involving Tornado Cash that was deposited prior to its designation, or to engage in other transactions or dealings with Tornado Cash, you are encouraged to file a licensing request by visiting the following link.
These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.
To encapsulate, as of August 8, 2022 10:30 am ET (the time when OFAC officially sanctioned Tornado Cash), all U.S. citizens and entities are required to comply with the Tornado Cash sanctions. Essentially, the U.S. people are barred from making any further interaction with the protocol and are prohibited from engaging in transactions with or otherwise providing services to or for the benefit of:
In OFAC’s Questions for Virtual Currencies, question number 562, the regulatory body has clarified that digital currency addresses listed in its SDN list are likely to be non-exhaustive. Therefore, it is the responsibility of U.S. citizens and entities to ensure that they do not interact with addresses belonging to or associated with Tornado Cash.
The OFAC has explicitly stated that “parties who identify digital currency identifiers or wallets that they believe are owned by, or otherwise associated with, an SDN and hold such property” should take necessary steps to block such virtual currencies and file a report with OFAC that includes information about the wallet’s or address’s ownership and any other relevant details.
To register for access to ORS (OFAC Reporting System), please email OFACReport@treasury.gov and include the name of the reporting institution, the name and email of the primary point of contact and any other person empowered to file reports.
Learn more about the OFAC’s reporting system here.
Interactions prior to the designation
As per the International Trade and Investments team of the prominent law firm Orrick, Herrington & Sutcliffe LLP, funds that were mixed through Tornado Cash prior to the designation time and funds that Tornado Cash no longer has an interest in, are not required to be blocked or frozen as a result of the OFAC sanctions on Tornado Cash.
The Treasury also stated that U.S. persons who have sent funds to Tornado Cash prior to its designation, must apply for a specific license from OFAC in order to withdraw the assets along with all relevant information regarding these transactions with Tornado Cash, including the wallet addresses, transaction hashes, the date and time of the transaction(s), as well as the amount of virtual currency involved.
Provided there is no other sanctionable conduct, OFAC will apply a favorable licensing policy.
In its frequently asked questions, question number 1077, OFAC stated that no U.S. citizen is now allowed to engage in any transaction involving Tornado Cash, including through virtual currency wallet addresses that OFAC has sanctioned. If citizens were to initiate or otherwise engage in a transaction with a sanctioned entity, such a transaction would violate the U.S. sanctions prohibitions, unless exempt or authorized by OFAC.
If any fund was mixed through Tornado Cash after the designation time and was directly transferred to a U.S. citizen, such funds and the addresses need to be blocked or frozen.
The aforementioned entities should also ensure that their customers do not transfer funds to or withdraw funds from addresses belonging to or associated with Tornado Cash.
According to the OFAC Questions on Virtual Currencies, Question 646, once a U.S. person or entity determines that they hold a virtual currency that is required to be blocked pursuant to OFAC's regulations
Before blocking or freezing addresses entities must analyze sanctions risk data on the given blockchain addresses to identify the wallet addresses that have had an inadvertent sanction exposure. Essentially, it is important to differentiate between users who have intentionally used Tornado Cash and users who have unintentionally received funds from sanctioned addresses.
For Instance, a crypto trading platform may receive a deposit of 100 ETH from its customer. While analyzing the transaction, it may discover that out of the 100 ETH deposited, 30 ETH can be tied to a sanctioned entity such as Tornado Cash, while 70 ETH is received from regulated crypto exchanges. In this situation, the DeFi platform will have the onus to differentiate between transactions that were performed willfully and those wherein the customer had an unintentional exposure, for instance, receiving funds through dusting attacks.
Tornado Cash was officially declared as a sanctioned entity by the US government on August 8, 2022. With this, it is now an illegal offense for the US citizens to interact with the protocol or engage with the blocked addresses in any further transaction.
Although Tornado Cash was sanctioned for allegedly helping hackers and exploiters launder billions of dollars of funds, the impacts of the sanction can be felt on the whole crypto community. From large amounts of user’s funds getting locked in the protocol to innocent crypto users being blocked from major exchanges, the ecosystem is still reckoning with the sanctions.
One such unimagined effect of the sanction is the increase of dusting attacks from addresses linked with Tornado Cash. A dusting attack is an attack in which a wallet is sent tiny amounts of cryptocurrency (known as "dust") unknowingly. Victims are sent tokens via an airdrop. When the victim tries to transact these tokens further, the sender is able to de-anonymize the wallet user.
This is a technique used by bad actors who misuse the user's information to conduct illicit activities like phishing email and scams.
Reports suggest that more than 600 addresses were hit by such attacks shortly after the ban. Crypto users reported a suspicious transfer of 0.01ETH to their wallet from an address linked with Tornado Cash. Since all the addresses having interacted with Tornado Cash are now considered illegitimate, innocent users have been blocked for DeFi apps and exchanges after being hit by such dusting attacks. Wallets owned by well known celebrities, public figures and major exchanges have also been a target of these attacks.
Since it isn’t possible to decline an incoming transaction on the blockchain, the government has asked users to freeze any transaction or fund coming from Tornado Cash.
OFAC updates its frequently asked questions document in which they clarified in question 1076, 1077, 1078 and 1079 that
