Tornado Cash, along with other mixers such as AlphaBay, enables customers to conceal the source of their crypto funds when participating in a transaction in exchange for a fee. It blends potentially identifiable or tainted cryptocurrency funds with others to obfuscate the source and destination of crypto assets
The Office of Foreign Asset Control (OFAC), a watchdog within the U.S. Treasury tasked with enforcing sanctions violations, confirmed the sanctions against Tornado Cash on Monday, immediately prohibiting U.S. citizens and businesses from using the service.
Tornado Cash has laundered more than $7 billion worth of virtual currency since it was created in 2019, the Treasury said. This includes $445 million stolen by the Lazarus Group, a notorious North Korean-backed hacking group that is already under U.S. sanctions. The U.S. previously linked Lazarus to the theft of $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity, and more recently the $100 million theft from Harmony’s Horizon bridge. North Korea has long used cryptocurrency-stealing operations, like ransomware, to fund its nuclear weapons program.
The Treasury also said Tornado was used by hackers to launder at least $7.8 million in stolen crypto funds during last week’s Nomad heist, which led to a cybercriminals exploit a trivial bug to steal $100 million in crypto assets, including Ethereum (ETH), Binance Coin, Tether, USD Coin and Dai.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” said Treasury Under Secretary Brian E. Nelson. “Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”
Tornado Cash was created in 2019 based on open source research by the team behind Zcash, according to its website. Its co-founder, Roman Semenov, emphasized the tool’s decentralized nature, saying in a January interview with CoinDesk that “the protocol was specifically designed this way to be unstoppable.”
Tornado isn’t the only cryptocurrency mixer that has landed itself in hot water with regulators for facilitating illegal activity. In February last year, the U.S. Department of Justice arrested a man who operated a similar service called Helix for its role in laundering $300 million.
Back in May, the U.S. Treasury also sanctioned cryptocurrency mixer Blender.io, another service the Lazarus Group used to launder cryptocurrency stolen after hacking the Ronin bridge on the play-to-earn video game Axie Infinity in April. Both Tornado Cash and Blender.io appeared to play a role in obfuscating the digital trail of funds stolen in that $625 million hack, though Tornado was not sanctioned at that time and the Axie-linked theft was not mentioned in today’s OFAC announcement.