Spotlight: Tornado Cash
A mixing protocol that facilitates anonymous transactions on Ethereum by obscuring the trail of transactions
The US Treasury’s Office of Foreign Assets Control recently issued its first ever sanction on a “cryptocurrency mixer” Tornado Cash, citing its use in laundering $7B+ worth of cryptocurrencies since 2019.
On Monday, the US Treasury’s Office of Foreign Assets Control (OFAC) issued its first ever sanction on a “cryptocurrency mixer” Tornado Cash and related smart contract addresses.
Tornado Cash is a decentralized protocol on the Ethereum blockchain with ~$400mm in total value locked (TVL) that enables users to make private transactions that are hard to trace.
For example, cryptocurrency holders can deposit cryptocurrencies (like Ether) in a Tornado Cash smart contract that enables the user to withdraw the cryptocurrency from another crypto address in a private transaction, hiding where the cryptocurrency came from.
This compares to a standard transaction on a public blockchain like Ethereum where the transaction can be viewed by the public and is traceable. While these cryptocurrency mixers are used for legal use cases such as sending cryptocurrencies in a private manner that is not visible to the public, these cryptocurrency mixers are also used for illicit purposes.
According to the US Treasury, Tornado Cash has been used to launder more than $7B worth of virtual currency since its creation in 2019, which includes $455mm stolen by the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group that was sanctioned by the U.S. in 2019, in the largest known virtual currency heist to date.
Joining the debate on the benefits of blockchain tools that enable privacy, Ethereum co-founder Vitalik Buterin revealed that he had used Tornado Cash to donate funds to Ukraine in a way that hides his identity. The sanctions lead to downstream impacts to users of the cryptocurrency mixer (for both licit and illicit purposes) as regulated institutions like Circle, the issuer of USD Coin responded to the sanctions and froze over 75,000 USD Coin worth of funds linked to the sanctioned smart contract addresses. The action taken by the US Treasury will likely turn up the debate on privacy on blockchain technologies.
Tornado Cash Obscures the Trail of Crypto Transactions
Tornado Cash is a protocol that is used to obscure the original source of cryptocurrency funds received in a wallet. Users of Tornado Cash can deposit their cryptocurrency tokens in a smart contract managed by Tornado Cash and receive it back through a different digital wallet after Tornado Cash mixes the tokens of multiple users in a central pool so that the received tokens could not be traced back to the original sender.
Imagine you have a gold coin which you want to pass to your friend and there are 3 other people like you who have 3 identical gold coins each which they also want to pass to their friends. Now you and the other three people put all the gold coins in a pot from which your friend randomly picks one. Will someone be able to find the actual source of the gold coin your friend picked with full certainty? The answer is no. Now, replace the gold coin in the above example with an Ethereum.
The mixing pot where the gold coins from all the users were deposited could be thought of as the Tornado Cash protocol, which when used for the Ethereum tokens, makes it almost impossible for someone to track the original source of Ethereum received.
Tornado Cash can be used as a privacy enhancing tool for blockchain transactions as transaction records on most of the blockchains (including Bitcoin, Ethereum, etc.) are publicly available (from inception to the most recent ones) by design.
Anyone can view the holdings and transactions to/from a Bitcoin or an Ethereum wallet using blockchain explorer applications (like Blockchain.com, Blockcypher, Tokenview, Blockchair, etc.). To overcome this privacy issue, Tornado Cash could be used. However, its use cases have evolved more broadly over time. One of the areas, where it has been used prominently, is to hide sources of illicit funds.
Crypto Mixer Tornado Cash Sanctioned for Helping North Korean Hackers Launder Cryptocurrency Funds
On August 8th 2022, US Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash, which it believes has been used to launder more than $7 billion worth of cryptocurrencies since 2019, including $455 million of crypto theft by Lazarus Group (a North-Korea sponsored hacking group) in March 2022. Not only this, as per the OFAC, the crypto mixer was also used to launder $96 million from the June 2022 Harmony Bridge Heist and at least $7.8 million from the August 2022 Nomad Heist.
While it might not have been created by Roman Semenov with an objective to aid criminals in masking their cybercrimes, Tornado Cash ended up being used to aid illicit activities in the crypto-ecosystem. The developers of Tornado Cash have no control over the smart controls on which it runs as they have destroyed the cryptographic keys (think of it as a password) which are required to make changes to its smart contracts. The governance of Tornado Cash is carried out in a decentralized fashion by TORN token holders. The price of TORN token has declined 40% (as of 8/10/2022) since the US Treasury announced sanctions on Tornado Cash.