trust3.org
pl
All articles
AdvancedLegal

Tornado Cash: Privacy Tool or Criminal Infrastructure?

The US government sanctioned a smart contract. Developers got arrested. Here's the full story of the mixer that broke everything.

October 8, 2025
6 min read
Tornado Cash: Privacy Tool or Criminal Infrastructure? meme

Dive Deeper with AI

Click → prompt copied → paste in AI chat

August 8, 2022.

The US Treasury's Office of Foreign Assets Control (OFAC) did something unprecedented.

They sanctioned a smart contract.

Not a person. Not a company. A piece of code on Ethereum.

Tornado Cash—the largest crypto mixer—was now illegal for Americans to use.

This changed everything about crypto, privacy, and what "code is law" actually means.

What was Tornado Cash?

A privacy protocol on Ethereum.

You deposit ETH (or other tokens). You wait. You withdraw to a different address.

The connection between deposit and withdrawal is cryptographically broken.

How it worked:

  1. Deposit fixed amount (0.1, 1, 10, or 100 ETH)
  2. Receive a cryptographic "note" (proof of deposit)
  3. Wait (longer = better privacy)
  4. Use note to withdraw to new address
  5. Zero-knowledge proofs verify you deposited without revealing which deposit was yours

Your fresh address has no link to your original address. Perfect privacy.

The numbers

Before sanctions:

  • $7.6 billion total volume
  • Peak TVL of $700+ million
  • Thousands of daily users
  • Most popular privacy tool on Ethereum

After sanctions:

  • 0 new legitimate US users
  • Contracts still exist (immutable)
  • Still ~$200M+ locked (people afraid to withdraw)
  • Ongoing illegal usage by those who don't care

Why people used it

Legitimate uses:

  • Salary privacy (don't want employer knowing your net worth)
  • Donation privacy (donate to controversial causes anonymously)
  • Security (don't reveal all your holdings to potential attackers)
  • Personal privacy (just don't want public financial records)

Illegitimate uses:

  • Ransomware proceeds laundering
  • Stolen funds obfuscation
  • Sanctions evasion
  • Tax evasion
  • Drug money cleaning

Both used the same tool. That's the problem.

The Lazarus connection

North Korea's Lazarus Group.

The most prolific nation-state hackers in crypto. Billions stolen.

They loved Tornado Cash.

Ronin hack ($625M)? Through Tornado. Horizon bridge hack ($100M)? Through Tornado. Countless others? Through Tornado.

OFAC estimated Lazarus alone laundered $455 million through Tornado Cash.

When you're funding a nuclear weapons program, regulators notice.

The sanction

OFAC added Tornado Cash smart contract addresses to the SDN list (Specially Designated Nationals).

This means:

  • US persons cannot interact with these contracts
  • US companies must block transactions involving them
  • Anyone who does business with US cannot touch them
  • Violation = federal crime, up to 20 years prison

The contracts themselves weren't changed. They CAN'T be changed—they're immutable.

But using them became illegal for most of the world's financial system.

The developer arrests

It got worse.

Alexey Pertsev (developer) - Arrested in Netherlands, August 2022. Charged with money laundering. Convicted May 2024. 5+ years prison.

Roman Storm (developer) - Arrested in US, August 2023. Charged with money laundering, sanctions violations. Trial pending.

Roman Semenov (developer) - Indicted. At large.

The argument: They created and maintained a tool knowing it was used for crime.

The counter-argument: They wrote code. Code is speech. Should gun manufacturers be arrested for murders?

The legal debate is ongoing. The chilling effect is immediate.

The legal questions

Is code speech? First Amendment protects publishing code (established in encryption cases). But operating a service that facilitates crime?

What is "operating"? Tornado Cash is immutable. Developers can't stop it. Can you "operate" something you can't control?

Neutral tool doctrine: Hammers can kill people. We don't ban hammers. When does a tool become criminal infrastructure?

OFAC authority: Can Treasury sanction software? Or just people and entities? Courts are still deciding.

These questions don't have clear answers. The Tornado Cash case will set precedents for decades.

What happened after

Immediate effects:

  • Circle blacklisted USDC in Tornado contracts
  • GitHub deleted the repository
  • Discord shut down the server
  • dApps blocked addresses that interacted with Tornado
  • Some users received "dusted" Tornado transactions (trolls making addresses look dirty)

Ongoing effects:

  • Other mixers under scrutiny
  • Privacy research chilled
  • Developers afraid to build privacy tools
  • DeFi compliance becoming norm

The dusting attacks

This was darkly funny.

Someone sent small Tornado Cash transactions to celebrity wallets. Vitalik Buterin. Jimmy Fallon. Shaq.

Suddenly, these addresses had "touched" sanctioned contracts.

Were they now criminals? Obviously not—they didn't initiate the transactions.

But it showed the absurdity: you can be "contaminated" without consent.

OFAC eventually clarified receiving unsolicited funds isn't a violation. But the point was made.

Still running

Here's the thing: Tornado Cash still works.

The contracts are immutable. They're on Ethereum. They'll keep running until Ethereum stops.

Usage dropped but didn't stop. People who don't care about US sanctions keep using it.

North Korea doesn't follow OFAC rules.

The sanctions reduced legitimate privacy use more than criminal use. Criminals have higher risk tolerance.

The alternatives

After Tornado, what do privacy-seekers use?

Railgun: Privacy protocol, trying to be more compliant.

Aztec: ZK rollup with privacy features.

Monero: Still works. Still private. Harder to on/off ramp.

New mixers: Pop up constantly. Usually less battle-tested.

Nothing: Most people just gave up on privacy.

The privacy tooling space is now much more cautious. Whether that's good or bad depends on your perspective.

The bigger picture

Tornado Cash isn't just about one protocol.

It's about:

  • Can code be sanctioned? Apparently yes.
  • Can developers be jailed for code? Apparently yes.
  • Is on-chain privacy legal? Unclear, increasingly risky.
  • Will DeFi remain permissionless? Under pressure.

The crypto ethos of "can't be stopped, can't be censored" met state power.

State power won. At least legally.

Where it stands now

The protocol: Still running, still usable, still illegal for US persons.

The developers: One convicted, one awaiting trial, one hiding.

The funds: Hundreds of millions still locked, people afraid to touch.

The precedent: Dangerous for privacy advocates, celebrated by regulators.

The debate: Ongoing. No resolution in sight.

What this means for you

  1. Using Tornado Cash is illegal for US persons. Period.

  2. Receiving unsolicited Tornado funds is probably okay. But prove you didn't request them.

  3. Privacy tools carry risk. Legal risk that didn't exist before.

  4. Developer risk is real. Building privacy tools now has prosecution risk.

  5. "Immutable" doesn't mean "untouchable." Code can't be stopped, but users can be prosecuted.

Tornado Cash showed that decentralization has limits.

The code runs forever. The people who use it can still go to prison.

Privacy vs. compliance. Freedom vs. security. The fight continues.

Next: Why crypto mixers don't fully work - the limits of on-chain privacy.

Liked this article? Follow me!

@t0tty3
#tornado-cash#privacy#sanctions#mixer

Dive Deeper with AI

Click → prompt copied → paste in AI chat

All articles