US Sanctions on Crypto Mixers: The Tornado Cash Case Explained

On August 8, 2022, the U.S. government did something no one had ever done before: it sanctioned a piece of open-source software. Not a company. Not a person. Not a bank. But code. Specifically, Tornado Cash, a decentralized tool built on the Ethereum blockchain that let users hide where their cryptocurrency came from. This wasn’t just another regulatory move. It was a turning point - and it’s still shaking up crypto today.

What Is Tornado Cash?

Tornado Cash launched in 2019 as a privacy tool for Ethereum users. It didn’t hold your money. It didn’t ask for your name. It didn’t even know who you were. Instead, it used something called zero-knowledge proofs - a cryptographic trick that lets you prove you own something without revealing what it is. Here’s how it worked: you’d deposit ETH into a shared pool - say, 1 ETH. Later, you’d withdraw 1 ETH from a different address. Because everyone’s funds were mixed together, outsiders couldn’t tell which deposit matched which withdrawal. It was like putting cash into a giant piggy bank with hundreds of others, then pulling out a bill from the bottom - no receipts, no trail.

The system supported deposits in 0.1, 1, 10, and 100 ETH. It had relayers - third-party services that submitted withdrawal requests on your behalf - so even your IP address didn’t leave a trace. No KYC. No logs. No central server to shut down. Once the smart contracts were live on Ethereum, they ran on their own. No one could pause them. No one could change them. Not even the creators.

Why Did the U.S. Sanction It?

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) didn’t act because Tornado Cash was illegal. It acted because it was used illegally - a lot.

In 2022, the Lazarus Group, a North Korean hacking team already under U.S. sanctions, stole over $455 million in crypto. A huge chunk of that - nearly half - went through Tornado Cash. Other major heists followed: $96 million from the Harmony Bridge hack, $7.8 million from Nomad. In total, OFAC claimed Tornado Cash helped launder over $7 billion since its launch.

OFAC didn’t say the tool itself was bad. They said it failed to stop criminals. "Despite public assurances otherwise," said Brian E. Nelson, Under Secretary of the Treasury, "Tornado Cash has repeatedly failed to impose effective controls..."

On August 8, 2022, OFAC added Tornado Cash to its Specially Designated Nationals (SDN) list. That meant:

• U.S. citizens and companies couldn’t interact with it - even accidentally.
• All assets tied to Tornado Cash addresses under U.S. jurisdiction were frozen.
• Any U.S.-based exchange or wallet had to block transactions to or from its smart contracts.

This was unprecedented. Before this, sanctions targeted people, banks, or corporations - not immutable code running on a global blockchain.

The Legal Firestorm

The sanctions triggered a legal earthquake.

First, the industry pushed back. Crypto lawyers argued: you can’t sanction software. You can’t punish a smart contract. It doesn’t have a CEO. It doesn’t have a board. It doesn’t even have a physical location. How can you enforce a ban on code that runs on thousands of computers worldwide?

Then came the criminal case. Roman Storm, one of Tornado Cash’s co-founders, was arrested in 2023. His trial ended on August 6, 2025. The jury convicted him on one charge: conspiracy to operate an unlicensed money transmitting business. But they deadlocked on the bigger charges - conspiracy to launder money and conspiracy to violate sanctions. In plain terms: they agreed he helped build a tool that criminals used. But they couldn’t agree he intended for it to be used that way.

This split verdict matters. It sets a precedent: developers might be liable for how their tools are used - but only if they actively enabled crime. Building a privacy tool isn’t a crime. Building a privacy tool for criminals might be.

What Happened After the Sanctions?

Here’s the twist: the sanctions didn’t stop Tornado Cash.

The smart contracts kept running. People still used it. Hackers still laundered money. Why? Because you can’t delete code from the blockchain. You can’t shut down a server that doesn’t exist. You can’t arrest a contract.

Exchanges like Coinbase and Kraken blocked Tornado Cash addresses. Wallets like MetaMask added warnings. But users found workarounds - using non-U.S. exchanges, mixing through other protocols, or just ignoring the warnings.

And then, on March 21, 2025, something unexpected happened. Reports surfaced that OFAC had lifted the sanctions. The TORN token, Tornado Cash’s native currency, jumped from $8 to $15 overnight. Markets reacted. Investors cheered. But the U.S. government never officially confirmed the lift. No press release. No legal filing. Just whispers.

Today, the status of Tornado Cash remains murky. The code is still live. The lawsuits are still pending. The legal questions are still unanswered.

The Bigger Picture: Privacy vs. Control

The Tornado Cash case isn’t just about one tool. It’s about a fundamental clash:

• On one side: law enforcement says crypto mixers are the perfect hideout for thieves, hackers, and sanctioned regimes.
• On the other: privacy advocates say everyone - even law-abiding users - has a right to financial secrecy. Think of it like cash. You don’t need to explain why you’re buying groceries with bills. Why should crypto be different?

But here’s the hard truth: privacy tools don’t discriminate. They protect both the innocent and the guilty. And in a world where $2 billion in crypto is stolen every year, regulators aren’t willing to take that risk.

Since Tornado Cash, other mixers have been targeted. Blender.io was sanctioned before it. Newer tools are now building in compliance features - like self-imposed limits, transaction tagging, or KYC checkpoints - just to survive.

Meanwhile, developers are racing to build next-gen privacy tools that are even harder to regulate: decentralized mixers that run on multiple blockchains, privacy layers built into wallets, or protocols that auto-delete transaction logs after a few hours.

What This Means for You

If you’re a regular crypto user:

• Don’t use Tornado Cash. Even if sanctions are lifted, your wallet might get flagged. Exchanges may freeze your funds.
• Know your wallet’s history. If you received ETH from a known mixer, you could be caught in a compliance net.
• Privacy tools are getting riskier. The regulatory line is moving fast. What’s legal today might be banned tomorrow.

If you’re a developer:

• Building anonymous tools now carries legal risk - even if you don’t intend misuse.
• Consider designing in "compliance by default" - like optional identity layers or regulatory reporting triggers.
• Don’t assume open-source = immune. Code can be punished.

If you’re a business:

• Screen all incoming crypto transactions. Use blockchain analytics tools that flag sanctioned addresses.
• Train your compliance team. The rules are changing weekly.
• Document your efforts. If you’re accused of negligence, showing you tried to comply can save you.

Final Thoughts

Tornado Cash didn’t disappear. It didn’t shut down. It didn’t even stop working. But it changed everything.

It proved that governments can’t control decentralized systems - but they can make them dangerous to use. It showed that developers can be held accountable for tools they didn’t control. And it forced the entire crypto world to ask: how much privacy is too much?

The answer isn’t clear. But one thing is: the rules of crypto are no longer written in code alone. They’re being written in courtrooms, sanctions lists, and congressional hearings - and they’re moving faster than the blockchain ever could.