On August 8th, the popular Ethereum smart-contract mixer Tornado Cash was sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) for its role in laundering over $455 million worth of cryptocurrency stolen by the North Korean-linked hacking organization Lazarus Group.
Tornado Cash has mixed over $7.6 billion worth of Ether since launching in August 2019. Almost 30% of the funds sent through it have been tied to illicit actors.
However, given Tornado Cash’s unique qualities – its non-custodial nature, its smart contract-encoded design, and its decentralized development team – sanctions compliance has been more complicated in this case than in past situations. That’s why we’ve written this guide: to provide clarity where we can and pose questions where they remain.
- How Tornado Cash works
- OFAC’s designation of Tornado Cash
- Sanctions compliance challenges for:
- How organizations use Chainalysis to manage sanctions risk
How Tornado Cash works
Crypto mixers like Tornado Cash are designed to create a disconnect between the cryptocurrencies that a user deposits and withdraws. At a high level, they work by pooling the funds deposited by many users together, shuffling them in a seemingly random fashion, and then subtracting a small service fee and returning the remaining funds to each depositor. Tornado Cash is no exception – though its details differ.
Tornado Cash: a decentralized, non-custodial smart contract
Technically speaking, Tornado Cash is a decentralized, non-custodial smart contract, which is distinct from other types of crypto mixers. Let’s define each of these words in the context of Tornado Cash:
- Decentralized: Tornado Cash’s codebase is open source, and its operations are managed – at least in part – by a decentralized autonomous organization (DAO). This source code was published on Github until the platform removed its main repository following OFAC’s sanctions announcement. A cryptography professor at Johns Hopkins has since re-uploaded it on free-speech grounds.
- Non-custodial: Tornado Cash does not gain custody over its users’ funds at any point during the mixing process.
- Smart contract: At its core, Tornado Cash is just code running on various open public blockchains like Ethereum. Crucially, most of its smart contracts are designed in such a way that they cannot be changed or destroyed by anyone, including the Tornado Cash DAO.
An implication of Tornado Cash’s decentralization that regulators and crypto compliance teams should be aware of is that the protocol continues to operate, and that its front-end is still accessible on the InterPlanetary File System (IPFS) and over The Onion Router (also known as Tor). IPFS is a distributed, peer-to-peer protocol for storing and sharing data, while Tor is an open-source software package that enables anonymous communication and is colloquially known as “the dark web.”
How Tornado Cash mixes funds
By design, there are many ways to use Tornado Cash. The simplest approach—prior to OFAC’s designation—was to navigate to Tornado Cash’s web app and connect a crypto wallet. A slightly more involved approach is to download a version of the app to use from a computer. And the most sophisticated approach of all is to use a command line interface to interact with the protocol.
Tornado Cash’s mixing process
However an individual uses Tornado Cash, there are three key steps in the mixing process.
- The user generates a “deposit note” on their local device and shares a cryptographic hash of it in a transaction with their chosen Tornado Cash pool contract. This note is sort of like a claim check you would get at a restaurant to prove that you own the coat you handed over – though in this case, the note is a long string of data that you’re asked to store/encrypt.
- The user’s funds are sent to the contract, which pools this deposit alongside the deposits of other users in the denominations specified by the contract, such as .1, 1, 10, or 100 ETH. The funds can remain in that pool for as long as the user would like. (Pools also exist for the tokens USDC, USDT, DAI, cDAI, and wBTC and assets on blockchains other than Ethereum.)
- The user, utilizing their secret deposit note and some nifty zero-knowledge cryptography, generates a transaction that proves they have the right to withdraw the deposited value. The user can then either withdraw the funds themself or have a “relayer” process the withdrawal on their behalf in exchange for a 0.05% to 0.2% fee. This relay transaction severs any direct connection between the user’s deposit and withdrawal.
For more on how Tornado Cash works, watch our video on Chainalysis Academy.
OFAC’s designation of Tornado Cash
Tornado Cash can be a practical solution for legitimate users seeking financial privacy, like those who wish to donate to political causes without making the details public or those who wish to keep information about their wealth private. But it’s also attractive to cybercriminals seeking to launder money. Treasury’s press release announcing the Tornado Cash sanctions specifically pointed to Tornado Cash’s role in laundering over $455 million worth of cryptocurrency stolen from Axie Infinity’s Ronin Bridge protocol by the North Korea-affiliated hacking organization, Lazarus Group, and its receipt of funds stolen from Harmony Bridge and Nomad Bridge in June and August of this year. Since 2019, almost 30% of the funds sent through it have been tied to illicit actors, and the Democratic People’s Republic of Korea has been one of its chief beneficiaries.
The Tornado Cash addresses that OFAC included in the designation consist of deposit addresses, routing addresses, proxy addresses and more.
Sanctions compliance challenges
OFAC’s most recent guidance on virtual currency stated that each of the business types we discuss in this section, as well as any others that interface with the crypto industry, “are encouraged to develop, implement, and routinely update a tailored, risk-based sanctions compliance program. Such compliance programs generally should include sanctions list and geographic screening and other appropriate measures as determined by the company’s unique risk profile.”
However, there are open questions about how – and to what extent – certain categories of crypto industry protocols can comply with these sanctions. We address each of these categories below.
Centralized cryptocurrency businesses
OFAC has included 44 addresses as identifiers of Tornado Cash. Centralized crypto businesses subject to US jurisdiction are prohibited from interacting with these addresses.
A front-end web application that is used to interact with a DeFi protocol can block cryptocurrency addresses with exposure to Tornado Cash, but regulation has not yet stipulated whether such a block is needed at the protocol level or if such a block is even possible.
The tension here comes from the fact that at the protocol level, it is extremely difficult – or, depending on the protocol’s governance structure and how it has been designed, perhaps even impossible – to censor a transaction.
For example, the design of the Ethereum blockchain made it such that people were able to send an estimated $52,000 in small Tornado Cash payments to celebrities and industry figures in the wake of OFAC’s designation — none of whom were able to refuse receipt of these transactions. Now, these “dusting attack” targets have control of assets with exposure to Tornado Cash, which could have downstream compliance impacts.
Mining and staking pools
One open question for miners and mining pool operators is this: If you mine a block containing a Tornado Cash transaction, are you now in violation of OFAC regulations? And on proof-of-stake blockchains, what about validators and staking pools? In lieu of existing guidance, the largest Ethereum miner, Ethermine, stopped including Tornado router transactions in its blocks on August 9th, the day after OFAC’s designation was announced. But the question remains as to whether a pool is ultimately responsible for the transactions mined/validated within its blocks.
Web3 infrastructure providers
Two popular web3 infrastructure providers, Infura and Alchemy, now block Ethereum API access for Tornado Cash. This means that users can no longer connect to the Tornado Cash front-end using Alchemy or Infura APIs.
However, much like DeFi protocols, infrastructure providers may be unable to block user access at the protocol level, and it is unclear whether such obligations exist.
Crypto wallet providers
People operating centralized, custodial crypto wallets can screen and block transfers to the addresses identified in OFAC’s designation, but the obligations of non-custodial crypto wallet providers are less clear. An extreme interpretation could mean that non-custodial wallet providers might also need to block transfers to the sanctioned addresses, though this would be unprecedented.
Because it is impossible to block incoming transactions regardless of custodial status, users remain vulnerable to dusting attacks.
Circle, the issuer of USDC, has frozen all USDC held in OFAC-designated Tornado Cash addresses, but other stablecoin issuers like Tether have argued that it is not yet certain whether stablecoin issuers are obligated to freeze the assets held by sanctioned addresses.
How Chainalysis helps organizations manage sanctions risk
Chainalysis offers a complete compliance suite for cryptocurrency services – including those in DeFi – ranging from free, simple tooling to powerful, data-driven transaction monitoring. Customers should have maximum flexibility so they can design their compliance processes according to their own risk tolerance.
Our most basic solutions are designed with decentralized web3 protocols like DEXs, DeFi platforms, DAOs, and DApps in mind so they can easily validate that they aren’t interacting with cryptocurrency addresses associated with sanctioned entities. These tools include:
- An API designed for web/mobile UIs and web servers: Users will receive an API key through which they can check if an address of interest is on the sanctions list or not. Click here to express your interest in the API.
- An on-chain oracle designed for smart contacts: Users can call the Chainalysis oracle from another smart contract to check if an address is on a sanctions list. The Chainalysis oracle is deployed on most EVM chains like Ethereum, Avalanche, BSC, Polygon, Optimism, Arbitrum, Celo. Learn more about our on-chain oracle.
The next step on the compliance maturity journey is deeper address screening that includes powerful additional context like clustered addresses, more categories like stolen funds, fraud shops, darknet markets, and more. Address screening is for decentralized web3 organizations that want to harness the power of Chainalysis data to automatically prevent high-risk users from connecting to their platform. This demonstrates a more proactive risk and compliance approach with a fully programmatic solution.
The last stop on this maturity journey is powered by sophisticated real-time transaction monitoring via an easy-to-use interface and a real-time API. This capability is ideal for compliance organizations that need to reduce manual workflows and streamline how they share information with their banks and regulators.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.