After The Ban: Tornado Cash 6 Months On
In 2022, much ink was spilled about Tornado Cash, an Ethereum mixer that had become crypto criminals’ favorite escape route over the last two years.
In 2022 alone, Tornado Cash was linked to at least 58 hacks resulting in $1,38 billion in loss! Mixers like Tornado Cash obscure a transaction on the blockchain by sending the transaction through a “complex, semi-random series of dummy transactions” and by commingling one payment with others.
As a result, it becomes unclear to whom funds are being directed, and challenging to trace funds back to a source.
Mixers turn the very transparent blockchain technology into a murky black box, making them an obvious choice for crypto criminals.
Created in 2019, Tornado Cash really took off at the beginning of 2021, concomitantly with the crypto bull run. At its peak in October 2021, its total value locked (TVL) was $1.17 billion.
This very high level of liquidity made it the perfect mixer to hide criminal activity since the higher the level of liquidity, the higher the anonymizing potential for large-scale money laundering schemes.
The Tornado Cash Ban
According to the OFAC (U.S. Department of the Treasury’s Office of Foreign Assets Control), this mixer has been used to launder more than $7 billion worth of cryptocurrency since its launch, as well as “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”
In light of this, on August 8, 2022, the OFAC designated Tornado Cash as a “sanctioned entity.” Essentially banning the use of Tornado Cash to U.S. users, since U.S. users risk becoming criminal offenders who may face monetary fines — ranging from a few thousand dollars to several million — and prison time of up to 30 years. The immediate reaction was, for many web3 entities like decentralized derivatives exchange dYdX, to almost immediately ban addresses associated with Tornado Cash.
The ban outraged a vast part of the web3 community and ended up in multiple lawsuits against the U.S. Treasury for its sanctions on Tornado Cash, not to mention the seismic effects for Tornado Cash and non-criminal users.
In a matter of weeks, Tornado Cash liquidity pools decreased by approximately 60%, its monthly users did fall by over 50%, and its TVL dropped from $460,6M in August 2022 to $168,25M at the time of writing.
What of crypto criminals?
As a U.S. hacker, using Tornado Cash to erase all traces became much more complicated. Tornado Cash liquidity pools, by becoming less liquid, make large-scale mixing less feasible and bluntly decrease its anonymizing potential.
Nevertheless, Tornado Cash keeps on staying a favorite for hackers. Before the ban, on average, 4,5 hacks/month were linked to a Tornado Cash exit; after the ban, it slightly dropped to 4 in the latest months of 2022. Why? Because not all hackers are US-based, and although the ban’s impact turned Tornado Cash into a less efficient money laundering tool for hackers, it is still much better than the alternatives despite the risks.
Based on blockchain security firm Elliptic’s report about mixers post-ban, none seems to have the mantle to take over.
Among the top 6 mixers, at the exclusion of Tornado Cash, only $41,5 million worth of crypto assets were mixed in total, and only $40,000 (0.1%) of these funds have originated from criminal activities.
For Elliptic, the “top contender” for Tornado Cash crown is Cyclone Protocol for its “high transaction limits, the relatively ample liquidity of its mixing pools, and its ability to mix the token of a sanctioned entity (TORN)”, which TVL is only $1,4 million and its total mixing transaction processed $29,3 million.
A far cry from the hundred million of Tornado Cash.
Post-ban, analytics shows that there was nothing close to a spillover from Tornado Cash to other mixers. Being in a bear market with an important lack of liquidity, it is difficult today to envision a mixer that would rise as an alternative without a bull run push and a massive influx of liquidity.
But apparently, the future battleground of anti-money laundering (AML) will not be mixers but cross-chain transactions that could bypass the use of mixers altogether.
Cross-chain Transactions, the Next Tornado Cash
On its own, cross-chain bridge RenBridge has facilitated the laundering of at least $540 million and, for Elliptic cross-chain transactions, promises to open soon “The new age of crypto crime and money laundering.”
Cross-chain bridges and mixers are attractive to crypto criminals for sensibly the same reason: blockchain interconnectivity is used to move billions of dollars in crypto between assets and blockchains anonymously to blur the transparency of blockchain technology.
Money laundering across assets to obfuscate illicit financial flows was used to launder at least $4 billion worth of illegal crypto proceeds by hackers, dark web markets, online gambling platforms, criminal virtual asset services, Ponzi schemes, and ransomware, according to Elliptic.
If this high-intensity crypto criminality is made possible and could become the next AML battleground, Elliptic says it is due to 3 types of services that allow efficient and flawless cross-chain transactions and anonymity: cross-chain bridges, decentralized exchanges(DEXs), and coin swap services.
Cross-chain Bridges.
The use of cross-chain bridges allows “Chain hopping”: moving ill-gotten crypto from one blockchain to another as a “money laundering layering technique.” For example, in August 2022, the hacker behind the hack that cost $190 million to cross-chain bridge Nomad used Renbridge to bridge as much as 102.69 BTC into the Bitcoin blockchain.
$750M of illicit funds have been laundered through chain hopping facilitated by bridges.
The vast majority of these illegal assets (over $540 million) have been processed through RenBridge, a cross-chain bridge used predominantly to exchange assets between Bitcoin and Ethereum, painting a red target on Renbridge back for regulators.
Decentralized Exchanges.
DEXs are blockchain-based peer-to-peer online services that allow direct crypto transactions among users.
Unlike most centralized exchanges (CEXs), DEXs do not subject their users to know-your-customer (KYC) processes and are not custodian entities. Making them an excellent escape route for crypto criminals.
DEXs and token swapping are mainly used to evade asset freezes.
If crypto assets are connected to illicit wallets, their issuers can freeze them, so criminals swap “freezable assets” for unfreezable ones.
DEXs are also used to use Tornado Cash by swapping stolen tokens into ETH, as well as swapping tokens to use cross-chain bridges.
In their study, Elliptic reports that crypto criminals do what they call “DEX token hops”: since 2020, out of the 136 different tokens across the almost 80 exploits they analyzed, the overwhelming majority of them were swapped, sometimes multiple times over to make it difficult to be tailed, into mainly ETH, renBTC and DAI, the three of them being unfreezable assets.
DEX Curve and Uniswap represent over 53% of the illicit funds identified for $315 million and $313 million, respectively.
Following illicit token flows, it appears that criminals do not have one modus operandi when it comes to the use of DEXs to hide their criminal activities: they swap to one or multiple assets and can utilize one or more DEXs to do so in a bid to spread their illicit activity and becoming more untraceable.
Coin Swap Services.
Coin swap services(CSS) allow users to swap tokens on the same or different blockchains.
They are convenient for crypto criminals since they do not even need to open accounts to be able to swap tokens, nor is it expected for them to go through a KYC process(in most of them), and anonymous people manage them.
It almost appears that they are, by design, custom-made to serve criminal activity, which for some, is the truth.
There are two types of coin swap services, the licit ones, and the illicit ones. The illicit coin swap services massively advertise on illicit cybercrime forums and tout, like CSS AudiA6, that their client base is “not respected users, bandits, tramps, scammers and all.”
Elliptic also reports that coin swap services have become widely popular over the last five years: 7,5% of all illicit Bitcoins flow in 2021 passed through coin Swap services, a jump from 0,1% in 2016.
More than $1.2 billion of illicit crypto assets were laundered through them, and it can be expected that they will continue to bring in more criminal users, and be used to fill the void left for some by the Tornado Cash ban.
