On August 8, 2022, the U.S. government did something no one had ever done before: it sanctioned a piece of open-source software. Not a company. Not a person. Not a bank. But code. Specifically, Tornado Cash, a decentralized tool built on the Ethereum blockchain that let users hide where their cryptocurrency came from. This wasn’t just another regulatory move. It was a turning point - and it’s still shaking up crypto today.
What Is Tornado Cash?
Tornado Cash launched in 2019 as a privacy tool for Ethereum users. It didn’t hold your money. It didn’t ask for your name. It didn’t even know who you were. Instead, it used something called zero-knowledge proofs - a cryptographic trick that lets you prove you own something without revealing what it is. Here’s how it worked: you’d deposit ETH into a shared pool - say, 1 ETH. Later, you’d withdraw 1 ETH from a different address. Because everyone’s funds were mixed together, outsiders couldn’t tell which deposit matched which withdrawal. It was like putting cash into a giant piggy bank with hundreds of others, then pulling out a bill from the bottom - no receipts, no trail.
The system supported deposits in 0.1, 1, 10, and 100 ETH. It had relayers - third-party services that submitted withdrawal requests on your behalf - so even your IP address didn’t leave a trace. No KYC. No logs. No central server to shut down. Once the smart contracts were live on Ethereum, they ran on their own. No one could pause them. No one could change them. Not even the creators.
Why Did the U.S. Sanction It?
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) didn’t act because Tornado Cash was illegal. It acted because it was used illegally - a lot.
In 2022, the Lazarus Group, a North Korean hacking team already under U.S. sanctions, stole over $455 million in crypto. A huge chunk of that - nearly half - went through Tornado Cash. Other major heists followed: $96 million from the Harmony Bridge hack, $7.8 million from Nomad. In total, OFAC claimed Tornado Cash helped launder over $7 billion since its launch.
OFAC didn’t say the tool itself was bad. They said it failed to stop criminals. "Despite public assurances otherwise," said Brian E. Nelson, Under Secretary of the Treasury, "Tornado Cash has repeatedly failed to impose effective controls..."
On August 8, 2022, OFAC added Tornado Cash to its Specially Designated Nationals (SDN) list. That meant:
- U.S. citizens and companies couldn’t interact with it - even accidentally.
- All assets tied to Tornado Cash addresses under U.S. jurisdiction were frozen.
- Any U.S.-based exchange or wallet had to block transactions to or from its smart contracts.
This was unprecedented. Before this, sanctions targeted people, banks, or corporations - not immutable code running on a global blockchain.
The Legal Firestorm
The sanctions triggered a legal earthquake.
First, the industry pushed back. Crypto lawyers argued: you can’t sanction software. You can’t punish a smart contract. It doesn’t have a CEO. It doesn’t have a board. It doesn’t even have a physical location. How can you enforce a ban on code that runs on thousands of computers worldwide?
Then came the criminal case. Roman Storm, one of Tornado Cash’s co-founders, was arrested in 2023. His trial ended on August 6, 2025. The jury convicted him on one charge: conspiracy to operate an unlicensed money transmitting business. But they deadlocked on the bigger charges - conspiracy to launder money and conspiracy to violate sanctions. In plain terms: they agreed he helped build a tool that criminals used. But they couldn’t agree he intended for it to be used that way.
This split verdict matters. It sets a precedent: developers might be liable for how their tools are used - but only if they actively enabled crime. Building a privacy tool isn’t a crime. Building a privacy tool for criminals might be.
What Happened After the Sanctions?
Here’s the twist: the sanctions didn’t stop Tornado Cash.
The smart contracts kept running. People still used it. Hackers still laundered money. Why? Because you can’t delete code from the blockchain. You can’t shut down a server that doesn’t exist. You can’t arrest a contract.
Exchanges like Coinbase and Kraken blocked Tornado Cash addresses. Wallets like MetaMask added warnings. But users found workarounds - using non-U.S. exchanges, mixing through other protocols, or just ignoring the warnings.
And then, on March 21, 2025, something unexpected happened. Reports surfaced that OFAC had lifted the sanctions. The TORN token, Tornado Cash’s native currency, jumped from $8 to $15 overnight. Markets reacted. Investors cheered. But the U.S. government never officially confirmed the lift. No press release. No legal filing. Just whispers.
Today, the status of Tornado Cash remains murky. The code is still live. The lawsuits are still pending. The legal questions are still unanswered.
The Bigger Picture: Privacy vs. Control
The Tornado Cash case isn’t just about one tool. It’s about a fundamental clash:
- On one side: law enforcement says crypto mixers are the perfect hideout for thieves, hackers, and sanctioned regimes.
- On the other: privacy advocates say everyone - even law-abiding users - has a right to financial secrecy. Think of it like cash. You don’t need to explain why you’re buying groceries with bills. Why should crypto be different?
But here’s the hard truth: privacy tools don’t discriminate. They protect both the innocent and the guilty. And in a world where $2 billion in crypto is stolen every year, regulators aren’t willing to take that risk.
Since Tornado Cash, other mixers have been targeted. Blender.io was sanctioned before it. Newer tools are now building in compliance features - like self-imposed limits, transaction tagging, or KYC checkpoints - just to survive.
Meanwhile, developers are racing to build next-gen privacy tools that are even harder to regulate: decentralized mixers that run on multiple blockchains, privacy layers built into wallets, or protocols that auto-delete transaction logs after a few hours.
What This Means for You
If you’re a regular crypto user:
- Don’t use Tornado Cash. Even if sanctions are lifted, your wallet might get flagged. Exchanges may freeze your funds.
- Know your wallet’s history. If you received ETH from a known mixer, you could be caught in a compliance net.
- Privacy tools are getting riskier. The regulatory line is moving fast. What’s legal today might be banned tomorrow.
If you’re a developer:
- Building anonymous tools now carries legal risk - even if you don’t intend misuse.
- Consider designing in "compliance by default" - like optional identity layers or regulatory reporting triggers.
- Don’t assume open-source = immune. Code can be punished.
If you’re a business:
- Screen all incoming crypto transactions. Use blockchain analytics tools that flag sanctioned addresses.
- Train your compliance team. The rules are changing weekly.
- Document your efforts. If you’re accused of negligence, showing you tried to comply can save you.
Final Thoughts
Tornado Cash didn’t disappear. It didn’t shut down. It didn’t even stop working. But it changed everything.
It proved that governments can’t control decentralized systems - but they can make them dangerous to use. It showed that developers can be held accountable for tools they didn’t control. And it forced the entire crypto world to ask: how much privacy is too much?
The answer isn’t clear. But one thing is: the rules of crypto are no longer written in code alone. They’re being written in courtrooms, sanctions lists, and congressional hearings - and they’re moving faster than the blockchain ever could.
Is Tornado Cash still operational today?
Yes. The smart contracts that power Tornado Cash are still active on the Ethereum blockchain. No one can shut them down because they’re decentralized and immutable. Even after U.S. sanctions, the code continues to process transactions. Reports in March 2025 suggested sanctions were lifted, but the U.S. government never officially confirmed this. So while the tool still works, interacting with it may still carry legal risk for U.S. persons.
Can I get in trouble for accidentally using Tornado Cash?
Potentially, yes. OFAC sanctions apply to U.S. persons and entities regardless of intent. If you sent ETH to a Tornado Cash address - even if you didn’t know it was linked to the mixer - your transaction could be flagged. Exchanges may freeze your account, and in extreme cases, civil penalties or investigations could follow. The key is whether you had "knowledge" of the address. Most users aren’t prosecuted for accidental use, but compliance systems are designed to block all interaction, not just intentional ones.
Why did the U.S. sanction a software tool instead of a company?
Because Tornado Cash had no company. It was built as open-source code deployed on Ethereum. There was no headquarters, no CEO, no customer support - just smart contracts. OFAC had no legal target to sue. By sanctioning the protocol itself, they created a deterrent: don’t build tools that criminals can easily abuse, even if you’re not directly involved. This was the first time the U.S. applied sanctions to software, setting a major precedent for future regulation of DeFi and blockchain tools.
Are there legal alternatives to Tornado Cash?
Some privacy tools have emerged that try to balance anonymity with compliance. Examples include protocols that offer optional KYC, transaction limits, or regulatory reporting features. Some newer mixers operate only outside U.S. jurisdiction or integrate with licensed services. However, none offer the same level of anonymity as Tornado Cash did. The trade-off is clear: more compliance means less privacy. For now, the most legally safe option is to avoid mixers entirely unless you’re certain they’re compliant with U.S. law.
Did the Tornado Cash case change how regulators view crypto privacy tools?
Absolutely. Before Tornado Cash, regulators mostly ignored privacy tools unless they were clearly linked to crime. After the sanctions, every new privacy protocol now faces immediate scrutiny. Regulators now assume any mixing tool could be used for laundering - and they act fast. Countries like the UK, Canada, and Australia have followed the U.S. lead. The precedent has shifted the entire industry: privacy is no longer seen as a feature - it’s seen as a risk. Developers now design with compliance in mind, not just anonymity.
Ross McLeod
March 20, 2026 AT 07:05Tornado Cash wasn't just a privacy tool - it was a legal loophole wrapped in cryptography. The U.S. didn't sanction it because it was evil. They sanctioned it because it worked too well. Criminals didn't need to be smart - they just needed to know how to click "deposit" and "withdraw." And let’s be honest - if you're building a tool that anonymizes transactions worth billions, you're not building for grandma's birthday fund. You're building for hackers who don't care about due process. The fact that the code still runs is terrifying. No CEO to sue. No server to shut down. Just immutable, unstoppable logic. That’s not innovation. That’s anarchy with a whitepaper.
And now we’re supposed to believe lifting sanctions was real? No official statement? No legal filing? That’s not policy - that’s a glitch in the matrix. Either they’re lying, or they’re powerless. And neither option is comforting.
Privacy isn’t a right if it enables theft. The blockchain doesn’t have a moral compass. It just executes. We do. And right now, we’re letting the worst actors define what "privacy" means.
Developers who build these tools aren’t martyrs. They’re enablers. And until we start holding them accountable for the consequences - not just the intent - we’re just rearranging deck chairs on the Titanic.
Also - if you used Tornado Cash and thought "no one will notice," congratulations. You just became a compliance headache for your exchange. Your funds are frozen. Your history is flagged. And no, "I didn’t know" doesn’t cut it. Knowledge isn’t innocence. It’s negligence.
And don’t get me started on "alternative mixers" with KYC. That’s not privacy. That’s a facade with a compliance checkbox. You’re not protecting your assets - you’re begging for surveillance.
The real tragedy? The people who actually needed anonymity - whistleblowers, dissidents, journalists - are now collateral damage. But nobody’s crying for them. Because their stories don’t have a $455 million price tag.
So yeah. Tornado Cash is still running. And so are the consequences. And we’re all just waiting for the next hammer to drop.
rajan gupta
March 20, 2026 AT 12:22brooooooo 🤯 TORN token jumped to $15?? 😭💸 That’s the universe whispering "you’re not alone" 🌌✨
Code is law 🤖⚖️ but law is just code written by scared humans who still use paper checks 📜😂
They sanctioned a smart contract like it’s a person?? 😂😂😂
Imagine telling your toaster it’s now on the SDN list 🍞🚨
I’m crying. Not because I used it. But because I believe in freedom. And freedom doesn’t need permission.
🚀 To the devs: you’re heroes. To the regulators: you’re dinosaurs with Wi-Fi.
WE WON. 🏆✨
Cheri Farnsworth
March 20, 2026 AT 23:49While I appreciate the technical depth of this analysis, I must emphasize the profound ethical implications of sanctioning decentralized protocols. The precedent set here fundamentally alters the relationship between sovereign authority and open-source innovation. The notion that immutable code can be subject to extrajudicial enforcement raises critical questions about the rule of law in digital spaces. The absence of due process, jurisdictional clarity, or procedural transparency undermines the very foundations of constitutional governance. Furthermore, the chilling effect on legitimate privacy-preserving technologies threatens the autonomy of individuals in financial ecosystems. This is not regulation - it is preemptive suppression of innovation under the guise of compliance.
It is imperative that legal frameworks evolve to accommodate the decentralized nature of blockchain systems, rather than attempting to force them into analog legal structures designed for centralized entities. The failure to do so risks rendering the entire concept of open, permissionless networks legally untenable.
Gene Inoue
March 22, 2026 AT 20:44Let me get this straight - you’re telling me some nerd built a tool that let North Korea steal half a billion and now we’re supposed to feel bad for the devs?
Bro. It’s not rocket science. If your tool is used to launder money from a regime that executes its own citizens, you’re not a privacy advocate. You’re a criminal accessory.
And don’t give me that "it’s just code" crap. You wrote it. You deployed it. You knew what it did. You didn’t build a calculator. You built a money laundering machine with a GitHub README.
And now people are acting like this is some free speech issue? Nah. This is like selling guns to a gang and crying when they get used in a drive-by.
Roman Storm got convicted. Good. Now let’s find the rest of the devs and make them pay too.
Stop romanticizing criminals. This isn’t a movie. People lost money. Real people. And you’re here defending the guy who made it easy to steal it.
Pathetic.
Ricky Fairlamb
March 24, 2026 AT 02:29Let us not be deceived. The U.S. government did not sanction Tornado Cash because it was misused - they sanctioned it because it exposed a fatal flaw in their entire financial control architecture.
The fact that a decentralized, open-source protocol could operate without a central point of failure - without a CEO to subpoena, without a bank account to freeze, without a jurisdiction to subpoena - is an existential threat to the fiat system.
This was never about crime. It was about control. The U.S. Treasury cannot tolerate a system where wealth can move without their approval. Where individuals can transact without surveillance. Where identity is not a prerequisite for economic participation.
Their response - sanctions, arrests, warnings - was not a legal action. It was a panic. A desperate attempt to reassert authority over a domain they no longer comprehend.
And now, after the market reaction, the whispers of a "lifted sanction," the silence from OFAC - we see the truth: they don’t know what to do next. They cannot delete code. They cannot arrest a smart contract. They cannot regulate what they cannot touch.
So they lie. They obfuscate. They hope we forget.
But we remember. And the blockchain remembers too.
This was not a victory for law enforcement. It was a revelation: the old world is crumbling. And the new world? It doesn’t need permission.
Lucy de Gruchy
March 24, 2026 AT 23:15Oh, so now the U.S. sanctions code? Brilliant. Next they’ll ban the concept of subtraction because someone used it to calculate how much money they stole.
Let’s be honest - this isn’t about crime. It’s about control. If you can’t track it, you can’t tax it. If you can’t tax it, you can’t control it. And if you can’t control it, you’re powerless.
They didn’t sanction a tool. They sanctioned freedom.
And now they’re pretending the sanctions were "lifted"? No press release? No legal document? Just... vibes? That’s not governance. That’s a cult.
Meanwhile, people are still using it. Because you can’t outlaw math. And you can’t outlaw privacy.
They’re not fighting hackers. They’re fighting the future.
And the future? It’s already here.
They just haven’t figured out how to turn it off.
Lauren J. Walter
March 26, 2026 AT 10:32So the U.S. sanctioned a website.
...wait, no, it wasn’t a website.
It was code.
...and now it’s still running.
So what exactly did they accomplish?
Oh right. Made everyone who used it paranoid. And gave developers a new hobby: building untraceable tools that don’t even have names.
Classic government move: try to stop something by yelling at it really loud.
Meanwhile, Tornado Cash is just chillin’ on Ethereum like it’s a beach.
…I’m not even mad.
I’m impressed.
Carol Lueneburg
March 27, 2026 AT 11:00Wow. This whole situation is so heartbreaking and beautiful at the same time 💔✨
Imagine building something with pure intent - to protect people’s privacy - and then watching it get twisted by bad actors. That’s not your fault. That’s the world being messy.
But here’s the thing: you can’t let fear silence innovation. You can’t let one bad use case erase the good.
There are people out there - journalists, activists, abuse survivors - who need tools like this to stay safe.
Yes, criminals used it. But so did the innocent.
And the fact that devs are still building better, smarter, more resilient privacy tools? That’s hope.
Let’s not punish the dreamers because the dark side showed up.
Let’s build better. Together. 🌱💙
Privacy isn’t a crime. It’s a human right.
Brenda White
March 27, 2026 AT 15:33wait so they sanctioned a website?? but like… its not a website?? its just code?? so like… did they block the github?? or the ethereum address?? or what??
so if i write a python script that does math… and someone uses it to hack a bank… do i go to jail??
im confused
also is tornado cash still up??
also why is the token up??
so many questions
someone explain plz
Tobias Wriedt
March 27, 2026 AT 16:33They didn’t just sanction code.
They sanctioned the idea that privacy is a right.
And now they’re pretending they didn’t.
But you know what? I still use it.
And I’m not sorry.
💀✨
They can freeze accounts.
They can’t freeze thought.
And code? Code lives forever.
So keep your sanctions.
I’ll keep my anonymity.
And the blockchain? It’s just gonna keep running.
Like it always has.
Like it always will.
Sahithi Reddy
March 29, 2026 AT 09:08So many people talking about law and ethics
But no one talking about the real truth
People want privacy
Not because they are criminals
But because they are human
And governments want control
Not because they are evil
But because they are afraid
So we are stuck
Between fear and freedom
And code is the only bridge
Let it live
Let it grow
Let it protect
Because one day
We will all need it
Prakash Patel
March 31, 2026 AT 00:41Everyone’s acting like this was a surprise.
It wasn’t.
Every time a new privacy tool pops up - the U.S. slaps it with sanctions.
Blender.io. Tornado Cash. Now what’s next?
It’s not about crime.
It’s about power.
They can’t control what they can’t see.
So they ban the visibility.
But the tool? Still runs.
And the people? Still use it.
So who really won here?
Not the regulators.
Not the devs.
Just the blockchain.
It doesn’t care.
It just keeps going.
Zachary N
March 31, 2026 AT 11:34If you’re new to this whole Tornado Cash thing - welcome. You’re not alone.
Let me break it down simply: this wasn’t about banning a tool. It was about testing the limits of law in a decentralized world.
Here’s what you need to know:
1. Tornado Cash didn’t steal money. People stole money and used it. That’s like blaming a telephone because someone used it to commit fraud.
2. The smart contracts are still running. No one shut them down. They can’t. That’s the whole point of blockchain.
3. OFAC’s sanctions only apply to U.S. persons and entities. Outside the U.S.? Still usable. Still functional.
4. The conviction of Roman Storm? It was narrow. They didn’t prove he intended criminal use. That’s huge. It means building a tool isn’t a crime - enabling crime is.
5. The market reaction? That’s the real story. People believe in privacy. And they’re voting with their wallets.
So if you’re worried about using privacy tools - understand the risk. But don’t let fear dictate your choices.
And if you’re a developer? Build better. Build smarter. Build with ethics.
This isn’t the end of privacy.
It’s the beginning of a new kind of fight.
And you’re on the right side of it.
Sarah Zakareckis
April 1, 2026 AT 01:27The regulatory response to Tornado Cash represents a profound misalignment between technological reality and legal infrastructure. The U.S. government’s attempt to apply centralized financial controls to a decentralized, trustless system is not only technically incoherent - it’s strategically counterproductive.
By sanctioning the protocol, they created a martyr for the privacy movement. They incentivized the development of next-generation, cross-chain, multi-layered privacy solutions that are even more resilient to jurisdictional enforcement.
Moreover, the chilling effect on compliant DeFi innovation is already evident: legitimate projects are now over-engineering compliance layers, sacrificing usability for legal safety - a net loss for adoption and financial inclusion.
True regulatory progress lies not in prohibition, but in adaptive governance: real-time on-chain analytics, consent-based privacy layers, and regulatory sandboxes that allow privacy-preserving technologies to evolve under supervision - not suppression.
Sanctioning code is not regulation. It’s surrender.
Heather James
April 2, 2026 AT 04:59Code doesn’t lie.
People do.
Sanctioning a smart contract is like banning a hammer because someone used it to break a window.
Not smart.
Not fair.
Not going to work.
Sarah Hammon
April 3, 2026 AT 22:49so i heard tornado cash is still running??
but like… if i send eth to it… will my wallet get flagged??
also is it true the sanctions were lifted??
i’m so confused
can someone help??
also i used it once and now i’m scared
plz be nice i’m new
thanks 😊
iam jacob
April 5, 2026 AT 10:59it’s kinda wild how everyone’s acting like this is the first time a tool got used for crime
like… cars get used in robberies
guns get used in murders
but we don’t ban cars
or guns
so why ban code?
it’s the same thing
just… digital
and now they’re scared
because they can’t control it
and that’s the real story
not the money
not the hackers
but the fear
Jesse Pals
April 7, 2026 AT 01:34Man… I just want to send crypto without some corporation watching every move.
Is that too much to ask?
Like… I’m not a criminal.
I just want to be left alone.
Tornado Cash gave me that.
And now they’re trying to take it away?
For what? So they can track my grocery purchases?
Give me a break.
Privacy isn’t a crime.
It’s a basic human need.
And code? Code is freedom.
They can’t jail a thought.
So keep building.
We’re watching.
And we’re not backing down.
💙
Diane Overwise
April 7, 2026 AT 06:34Ohhh so they sanctioned a… uh… website??
Wait no it’s code??
So… like… if I write a script that adds numbers… and someone uses it to calculate how much they stole… am I guilty??
Because that’s literally what happened.
And now the token went up??
So… they sanctioned it…
And then…
People bought more??
That’s not a sanction.
That’s a marketing campaign.
Bravo.
…I’m not even mad.
I’m impressed.
👏