Today, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the popular Ethereum mixer Tornado Cash, adding it to the Specially Designated Nationals (SDN) List with 38 unique cryptocurrency addresses included as identifiers. OFAC specifically pointed to Tornado’s role in laundering over $455 million worth of cryptocurrency stolen from Axie Infinity’s Ronin Bridge protocol by the North Korea-affiliated hacking organization, Lazarus Group. Treasury’s press release also mentions Tornado Cash’s receipt of funds stolen from Harmony Bridge in June as well as funds stolen from Nomad Bridge last week.
Today’s designation makes Tornado Cash the second cryptocurrency mixer sanctioned by OFAC following the designation of Blender.io in May, also for its role in laundering funds stolen by Lazarus Group. Below, we’ll tell you more about Tornado Cash, its connection to Lazarus Group, and why today’s designation is an impactful step against cryptocurrency-based crime.
Tornado Cash overview
Built on the Ethereum blockchain, Tornado Cash is the predominant example of a smart contract mixer. Tornado Cash is non-custodial. Users simply send the funds they want to mix to the Tornado Cash smart contract, and in return receive a cryptographic note they can use to withdraw their mixed funds to a new address by sending a transaction that references their note. Users can wait as long as they want to receive their mixed funds after sending them to Tornado Cash, and the mixer even has a mechanism for providing “clean” Ethereum to the user’s withdrawal address so that they can pay any necessary gas fees without the risk of funding the withdrawal address.
Since becoming active in August 2019, Tornado Cash has received over $7.6 billion worth of Ethereum, a sizable portion of which have come from illicit or high-risk sources. We can see the full breakdown on the chart below:
Half of those funds came from DeFi protocols, but 18% came from sanctioned entities (almost entirely, we should note, before those entities were sanctioned), while just under 11% were funds stolen from other cryptocurrency services and protocols.
As a smart contract-based mixer, sanctioning Tornado Cash isn’t as simple as sanctioning a centralized service like Blender.io or Hydra Market, as it can’t simply be shut down. The smart contract code can run in perpetuity without maintenance from developers — Tornado Cash co-founder Roman Semenov claimed in March that because of this, the mixer can’t be stopped from operating. Because Tornado Cash can technically continue to run, regulators and crypto compliance teams must stay vigilant to ensure the platforms they’re responsible for don’t transact with the now-sanctioned mixer.
Tornado Cash and Lazarus Group
In March 2022, Lazarus Group hackers stole over $620 million worth of cryptocurrency from the Ronin Bridge protocol in the biggest cryptocurrency hack ever. That theft is part of a much larger trend we’ve observed over the last year of increased stolen funds, mostly from DeFi protocols, and especially from cross-chain bridges. Lazarus Group is one of the biggest perpetrators of these DeFi hacks. Soon after the Ronin Bridge theft, the hackers sent much of those funds to Tornado Cash in order to be laundered.
This is just one of several examples of Tornado Cash being used to launder funds taken in similar hacks, including other hacks either definitively linked or believed to be linked to Lazarus Group.
Why this designation matters
OFAC’s designation of Tornado Cash is a crucial moment in the fight against cryptocurrency-based crime. For one thing, it’s especially timely: More cryptocurrency is being stolen than ever, and in almost every hack we’ve observed this year, Tornado Cash has received at least some of the stolen funds. It also shows that OFAC is committed to staying on the cutting edge of cryptocurrency: As a smart contract-based mixer, Tornado Cash is one of the most advanced methods available for laundering ill-gotten cryptocurrency, and cutting it off from compliant cryptocurrency businesses represents a huge blow for criminals looking to cash out.
More broadly, this designation suggests that decentralized protocols may be subject to some of the compliance obligations to which centralized services are held. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said the following in OFAC’s press release on the Tornado Cash designation:
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”
Nelson’s words make it clear that cryptocurrency services, whether they’re decentralized or not, must at least make an effort to implement controls to prevent bad actors from abusing them.
For further analysis on mixers, check out our blog or listen to our podcast.
List of cryptocurrency addresses included as identifiers for Tornado Cash OFAC designation
Ethereum addresses:
0x8589427373D6D84E98730D7795D8f6f8731FDA16
0x722122dF12D4e14e13Ac3b6895a86e84145b6967
0xDD4c48C0B24039969fC16D1cdF626eaB821d3384
0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b
0xd96f2B1c14Db8458374d9Aca76E26c3D18364307
0x4736dCf1b7A3d580672CcE6E7c65cd5cc9cFBa9D
0xD4B88Df4D29F5CedD6857912842cff3b20C8Cfa3
0x910Cbd523D972eb0a6f4cAe4618aD62622b39DbF
0xA160cdAB225685dA1d56aa342Ad8841c3b53f291
0xFD8610d20aA15b7B2E3Be39B396a1bC3516c7144
0xF60dD140cFf0706bAE9Cd734Ac3ae76AD9eBC32A
0x22aaA7720ddd5388A3c0A3333430953C68f1849b
0xBA214C1c1928a32Bffe790263E38B4Af9bFCD659
0xb1C8094B234DcE6e03f10a5b673c1d8C69739A00
0x527653eA119F3E6a1F5BD18fbF4714081D7B31ce
0x58E8dCC13BE9780fC42E8723D8EaD4CF46943dF2
0xD691F27f38B395864Ea86CfC7253969B409c362d
0xaEaaC358560e11f52454D997AAFF2c5731B6f8a6
0x1356c899D8C9467C7f71C195612F8A395aBf2f0a
0xA60C772958a3eD56c1F15dD055bA37AC8e523a0D
0x169AD27A470D064DEDE56a2D3ff727986b15D52B
0x0836222F2B2B24A3F36f98668Ed8F0B38D1a872f
0xF67721A2D8F736E75a49FdD7FAd2e31D8676542a
0x9AD122c22B14202B4490eDAf288FDb3C7cb3ff5E
0x905b63Fff465B9fFBF41DeA908CEb12478ec7601
0x07687e702b410Fa43f4cB4Af7FA097918ffD2730
0x94A1B5CdB22c43faab4AbEb5c74999895464Ddaf
0xb541fc07bC7619fD4062A54d96268525cBC6FfEF
0x12D66f87A04A9E220743712cE6d9bB1B5616B8Fc
0x47CE0C6eD5B0Ce3d3A51fdb1C52DC66a7c3c2936
0x23773E65ed146A459791799d01336DB287f25334
0xD21be7248e0197Ee08E0c20D4a96DEBdaC3D20Af
0x610B717796ad172B316836AC95a2ffad065CeaB4
0x178169B423a011fff22B9e3F3abeA13414dDD0F1
0xbB93e510BbCD0B7beb5A853875f9eC60275CF498
0x2717c5e28cf931547B621a5dddb772Ab6A35B701
0x03893a7c7463AE47D46bc7f091665f1893656003
0xCa0840578f57fE71599D29375e16783424023357
USDC addresses:
0x58E8dCC13BE9780fC42E8723D8EaD4CF46943dF2
0x8589427373D6D84E98730D7795D8f6f8731FDA16
0x722122dF12D4e14e13Ac3b6895a86e84145b6967
0xDD4c48C0B24039969fC16D1cdF626eaB821d3384
0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b
0xd96f2B1c14Db8458374d9Aca76E26c3D18364307
0x4736dCf1b7A3d580672CcE6E7c65cd5cc9cFBa9D
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.