The sanctions against the Tornado Cash mixer have far-reaching implications for the crypto and blockchain space, with crypto companies now at major, unprecedented risk of exposure to sanctions violations.

We’re going to take a closer look at exactly what Tornado Cash does, the nature of the sanctions, and how you can avoid accidentally interacting with sanctioned funds.

Contents

• What is Tornado Cash and how does it work?
• Why was Tornado Cash sanctioned?
• Is Tornado Cash shut down?
• “Dusting” attacks create a compliance nightmare
• Who is at risk of non-compliance?
• How to handle Tornado Cash sanctions compliance

What is Tornado Cash and how does it work?

Tornado Cash is an open-source, decentralized crypto mixer that was sanctioned by the US Treasury’s Office of Foreign Assets Control (OFAC) on August 8th 2022.

The purpose of Tornado Cash is to anonymize digital assets, and does not have a centralized team running the project. Tornado Cash is governed through a Decentralized Autonomous Organization (DAO) that uses TORN tokens to vote on system updates and changes.

The mixer exists as a smart contract, a self-executing piece of code running on a blockchain network. At the time of the sanctions, Tornado Cash was mostly in use on the Ethereum network, though also present on Polygon, Optimism, and Binance Chain.

In short, users can deposit funds to the mixer and receive mixed or laundered funds in return, and it is difficult to connect these new funds to the original user.

Here’s how it works in some more detail.

• Users can connect a wallet in a web app, download an app on their computer, or interact with Tornado Cash using command line prompts.
• Users then send funds to a Tornado Cash smart contract. This deposit generates a cryptographic hash, which is like a receipt for their deposit. This hash is represented as a string of characters and numbers.
• The transaction is broadcast to other Tornado Cash smart contracts, and the funds from different users are pooled together and divided into fixed denominations.
• Using the hash as verification, users withdraw funds from the pool, obfuscating the trail of anyone tracing those funds.

Users do not lose custody of their funds when using this mixing tool.

When mixing ETH, funds are split into denominations of 0.1, 1, 10, and 100 ETH, and these fixed amounts are used for the purposes of creating anonymity.

In the example below, we can see that the user is depositing 0.1 ETH, and that the mixer is currently holding the same sum of ETH for 426 other users.

From the now defunct Tornado Cash website

When everyone withdraws their funds, an investigator trying to trace a single individual will have 426 other candidates to contend with, making it much more difficult to follow the trail of funds online.

Why was Tornado Cash sanctioned?

The OFAC report states that Tornado Cash was sanctioned for its use in laundering $455 million by the Lazarus Group, a North Korean cybercrime group which was itself sanctioned in 2019. The mixer was sanctioned pursuant to Executive Order 13694 which relates to malicious cyber activities.

OFAC also cited the laundering of funds from the Harmony Bridge and Nomad heists and asserted that Tornado Cash has laundered a total of $7.6 billion worth of money.

It’s worth noting that Tornado Cash was used for licit as well as illicit purposes, such as anonymously donating funds to the Ukrainian war effort against Russia as well as other political causes.

OFAC designated Tornado Cash as a sanctioned entity and added a website and list of addresses that comprise the entity. All property and interests in property connected to Tornado Cash have been sanctioned by OFAC.

Is Tornado Cash shut down?

No. The Tornado Cash website has been suspended, but the service itself runs on public smart contracts that are essentially autonomous and will continue to function without developer maintenance.

Tornado Cash can still be accessed by the InterPlanetary File System and via the Tor Browser on the dark web.

Tornado Cash will continue to operate for as long as the blockchain networks that support it are up and running. Tornado Cash developers and the DAO that runs the project do not have the ability to shut down or destroy the mixer.

In fact, the DAO behind Tornado Cash is still active and passed a new governance protocol in October despite the sanctions, indicating that the community does not intend to disband.

The governance vote could also be intended to help shift blame from Tornado Cash co-founder Alexey Pertsev and aid his release from the custody of Dutch authorities following his arrest in August.

Message left by largest TORN voter on latest governance proposal

However, the current DAO being active is not the only issue.

The open-source code behind Tornado Cash is easily accessible and could simply be forked and implemented again on another blockchain, albeit without the starting liquidity and developer attention that a new mixing service might need to function.

This presents a unique challenge to regulators. While OFAC can sanction Tornado Cash and anyone who uses it, the mixer itself cannot easily be shut down.

Members of law enforcement and regulatory agencies should prepare for similar situations to arise with other decentralized financial services, such as copycat versions of Tornado Cash cropping up under new names with similar code.

Similarly, any company dealing in crypto transactions needs to be extremely cautious to avoid accidentally falling under the purview of the new sanctions, as any unmonitored funds could potentially have come from a sanctioned Tornado Cash wallet.

We’ll discuss how to avoid this further down.

Legal implications of Tornado Cash sanctions

Tornado Cash is the second virtual asset mixer to ever be sanctioned, following Blender.io in May 2022.

However, the Tornado Cash designation marks the first time a piece of software was sanctioned rather than a person or legal entity.

OFAC is now being sued by Coin Center, a non-profit organization in the crypto space. Coin Center asserts that OFAC does not have the authority to sanction a piece of decentralized software. A separate lawsuit of a similar nature is being backed by the Coinbase exchange.

The Tornado Cash blacklisting sets unique legal precedents, and it’s important to be aware of exactly which actions are and are not prohibited.

OFAC states that “engaging in any transaction with Tornado Cash or its blocked property or interests in property is prohibited for U.S. persons.”

While people may copy/paste the code or view archived versions of the website for research purposes, using any funds or wallets connected to Tornado Cash is strictly prohibited for any US person or company.

This issue has been complicated by the onset of Tornado Cash “dusting” attacks throughout the crypto space.

“Dusting” attacks create a compliance nightmare

Since the sanctions, tens of thousands of dollars worth of ETH has been sent in small sums from Tornado Cash wallets to the wallets of high-profile celebrities and other crypto users.

Sending these anonymous and unsolicited transactions of OFAC-blocked funds is referred to as “dusting,” and the aim is likely to challenge the ability of authorities to enforce sanctions.

Source: Twitter

Celebrities such as Jimmy Fallon, Snoop Dogg, and Coinbase CEO Brian Armstrong have received small sums of ETH from Tornado Cash wallets.

The dusting raises the question of whether these celebrities are now in breach of sanctions, and whether any individual or business with a wallet can be targeted in this way.

Who is at risk of non-compliance?

According to OFAC guidelines, anyone receiving blocked funds has 10 days to report the receipt of these funds, and must report them annually thereafter.

All US persons and businesses are required to comply with OFAC regulations.

In the case of dusting attacks, OFAC has stated that while it “will not prioritize enforcement against the delayed receipt of initial blocking reports,” its regulations do apply to unsolicited transactions of blocked funds.

Victims of dusting attacks are therefore not a high priority, but still required to comply.

OFAC has made it clear that people whose accounts have been dusted can apply for a specific license.

How to handle Tornado Cash sanctions compliance

To comply with sanctions, OFAC recommends the use of:

• Geolocation tools
• Transaction monitoring and investigation
• Sanctions screening

Companies that will need to implement these measures include:

• DeFi Platforms
• Crypto wallet providers and exchanges
• Stablecoin projects
• Web3 infrastructure providers
• Mining pools
• Staking pools

Businesses and individuals should be proactive in altering OFAC about their status following a dusting attack, and should check whether any incoming transactions are connected to sanctioned wallets and monitor these transactions on an ongoing basis.

Whether receiving small sums through dusting attacks or larger sums through a lack of account monitoring, it would be all too easy to receive and accept funds from a Tornado Cash wallet without realizing.

It’s likely that in the latter case, OFAC would likely be less lenient.

Compliance officers may also find it useful to look into blockchain tracking software tools, such as those provided by companies like Chainalysis, Elliptic, and Coinfirm.

These tools can help identify, cluster, and easily visualize Tornado Cash addresses in graphs that you and your colleagues can refer to and collaborate on, tackling the risk of non-compliance head-on.