U.S. Treasury Sanctions Widely Used Crypto Mixer Tornado Cash

Key insights

• OFAC sanctioned Ethereum-based cryptocurrency mixer Tornado Cash, which has been used by North Korean cyber-criminals and other threat actors to launder the proceeds of hacks and other illicit activity
• Tornado Cash is a favorite money laundering tool for North Korean cybercriminals who, according to analysis by TRM Labs, have used the mixer to launder stolen funds in ten of their most recent crypto heists at an estimated value of nearly $1 billion, including in the $620 million Ronin Bridge hack
• Tornado Cash has been central to many other large cryptocurrency heists
• The U.S. government has been targeting mixers that launder proceeds of hacks and illicit activity — blender.io, Helix and Bitcoin Fog
• As a result of today’s action, all property and interests in property of Tornado Cash in the U.S. is blocked and U.S. persons or entities may not transact with Tornado Cash or sanctioned persons
• Today’s designation of Tornado Cash — while targeted for its involvement in North Korea’s cybercriminal activity — reopens the question of the government’s view of crypto mixers
• OFAC has provided sanctions compliance best practices for crypto businesses
• As the first blockchain intelligence firm for the multi-chain era, TRM has built the most trusted database to protect crypto businesses from sanctions’ exposure.

Into the eye of a tornado...

Today the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC), pursuant to its cyber-related authorities, sanctioned cryptocurrency mixing service Tornado Cash which has been used by North Korean cyber criminals, such as state sponsored Lazarus Group, to support cyber activities and launder the stolen proceeds of hacks against cryptocurrency businesses. In a series of exploits including the March 23, 2022, attack on the Ronin bridge — a blockchain project associated with the popular play-to-earn game Axie Infinity — North Korea has used Tornado Cash to move illicit funds in an attempt to obfuscate transactions. According to Treasury, Tornado Cash, since its creation in 2019, has laundered $7 billion in illicit proceeds.

Today’s sanctioning of Tornado Cash — also referred to as a designation — is a watershed moment not only for the crypto industry but also for financial sanctions overall as it targets a widely used mixing service, potentially answering the question of whether or not mixing services writ large will be allowed to operate as long as they remain susceptible to illicit actors.

Tornado Cash: the privacy tool of choice

Tornado Cash is a tool that allows users to privately transact on Ethereum and hide their ETH transaction history. As a decentralized mixer protocol, or anonymization service, Tornado Cash pools cryptocurrency from multiple users obfuscate transactions by masking the origins of the funds. Mixing services are used by both legitimate actors who want to maintain the anonymity of their funds, and by criminals who use mixers to launder money and obfuscate the origin of illicit proceeds by mixing them with legal ones.

Tornado Cash’s code is designed to combine a user’s crypto with a pool of other Tornado Cash’s users’ crypto in a smart contract. Tornado Cash exists only through a series of smart contracts which are controlled and governed by a largely anonymous community of token holders (called TORN), who collaborate through a Decentralized Autonomous Organization.

Tornado Cash’s official site refers to itself as a “a fully decentralized protocol for private transactions on Ethereum,” and explains that the service, “...improves transaction privacy by breaking the on-chain link between source and destination addresses. It uses a smart contract that accepts ETH deposits that can be withdrawn by a different address. To preserve privacy a relayer can be used to withdraw to an address with no ETH balance. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.”

After the explosion of DeFi in 2021 and 2022, Tornado Cash became the mixer of choice following thefts on Ethereum and other EVM blockchains. Tornado Cash is popular with hackers. According to TRM’s analysis, over 41% of all funds deposited to Tornado Cash in June and July 2022 were tied to hacks and other thefts.

‍

Tornado Cash is a favorite money laundering tool for North Korea’s Lazarus Group

North Korean actors have used Tornado Cash to launder an estimated $900 million of stolen funds, including in the $620 million Ronin Bridge hack in March 2022, according to an analysis by TRM Labs. Cryptocurrency heists are a key method to fund the cash-strapped government - Pyongyang earned only $89 million in official exports in 2020, according to South Korea’s government-run statistical agency. According to the United Nations, North Korea uses these stolen assets to fund its nuclear and ballistic missile programs.

According to analysis by TRM Labs, North Korean cyber actors used Tornado Cash in all ten of its most recent cryptocurrency heists. Tornado Cash helped North Korea more easily “cash out” to traditional currencies, which its government uses to fund weapons proliferation and other destabilizing activity. Since launch, Tornado.cash has received 3.5M ETH in deposits, worth approximately $7.6B USD. Across all tokens, it has received $8.5B in total deposits.

As demonstrated by the Ronin hack, Lazarus Group commonly uses multiple mixing services, including Tornado Cash, and other sophisticated obfuscation techniques. Given that North Korea is ultimately not concerned with being caught, Lazarus often moves funds quickly to an off ramp rather than engage in lengthy and expensive obfuscation techniques. For further details on North Korea’ cyberattacks on cryptocurrency businesses, please see this February report by the Center for New American Security, in conjunction with TRM, and check out this series of TRM Talks with North Korea experts on Lazarus group and the continued attacks on cryptocurrency businesses.

‍

Tornado Cash is utilized by wide variety of illicit actors

Beyond Ronin, Tornado cash has been used to launder the proceeds in a number of other high profile hacks including the April 2022 Beanstalk hack in which a hacker used a flash loan attack to steal about $180 million of cryptocurrency from Beanstalk, a decentralized finance (DeFi) project. The hacker subsequently laundered all of the stolen funds through Tornado Cash.

And, it is not just the largest hacks. Smaller heists are also using Tornado Cash. In July 2022, a hacker used a reentry attack to steal 1,300 ETH, worth $1.4 million at the time, from OMNI, a non-fungible token (NFT) money market platform and immediately sent the stolen cryptocurrency to Tornado Cash. Other examples include the Bent Finance attack in which a hacker sent approximately 240 Ethereum through Tornado Cash following the exploit on December 20, 2021, and a day later, the Visor Finance attack in which the hacker sent approximately 110 Ethereum through Tornado Cash. On January 8, 2022, LCX, a Liechtenstein-based exchange announced that it had suffered a hack to one of its hot wallets. The hackers swiftly moved converted ETH to Tornado.Cash. In total, the operation from theft to deposit at Tornado was complete within 1.5 hours of the initial hack.

‍

The U.S. government has been targeting mixers that launder proceeds of hacks and illicit activity — from blender.io to Helix and Bitcoin Fog

In May 2022, OFAC potentially previewed today’s designation when it added bitcoin mixer blender.io to its list of Specially Designated Nationals (SDN). Blender.io, at the time the only sanctioned mixing service, was sanctioned for its use by North Korea in “processing over $20.5 million of the illicit proceeds” stolen in the Ronin exploit. In its announcement, Treasury explained that, “The virtual currency mixers that assist criminals are a threat to U.S. national security interests. Treasury will continue to investigate the use of mixers for illicit purposes and consider the range of authorities.”

While Blender was the first time OFAC used sanctions against a mixing service, Treasury and the U.S. Department of Justice have targeted mixers that facilitate illicit activity before. In February 2020, Larry Harmon was arrested for his operation of Helix, a darknet-based cryptocurrency laundering service. Harmon was charged with money laundering conspiracy for advertising Helix on the darknet. In Harmon, the indictment explains that Helix partnered with darknet market AlphaBay to provide bitcoin laundering services for AlphaBay customers. Harmon has pled guilty to money laundering conspiracy and is awaiting sentencing. The Treasury Department Financial Crimes Enforcement Network (FinCEN) also assessed a $60 million penalty against Harmon for operating Helix.

Similarly, on April 27, 2021, U.S. law enforcement arrested Roman Sterlingov, a 32-year-old dual Swedish Russian national, as he passed through Los Angeles International Airport. Sterlingov was arrested on criminal charges identical to Harmon for money laundering conspiracy related to his role as administrator of bitcoin mixer Bitcoin Fog. According to the charges in the criminal complaint, of the $336 million Bitcoin Fog laundered over a decade, at least $78 million passed through the mixing service to darknet markets like Silk Road, Agora, and AlphaBay. The Bitcoin Fog case is pending. For a deep dive into Helix and Bitcoin Fog check out TRM Insights.

Treasury has also issued guidance on illicit financing risks associated with mixers and other anonymity-enhancing technologies in the 2022 National Money Laundering Risk Assessment and going back to 2020, FinCEN stated in an email to Coindesk that “mixers such as Tornado Cash could fall under the definition of a money transmitter, and therefore have ‘obligations’ set by the Bank Secrecy Act (BSA).”

The impact of OFAC’s sanctions and what they mean for crypto businesses

So what does all this mean? As a result of today’s action, all property and interests in property of Tornado Cash, that is in the United States or in the possession or control of U.S. persons, is blocked and must be reported to OFAC. In addition, all transactions by U.S. persons, or within or transiting the U.S. financial system, that involve the property or interests of designated entities or persons are broadly prohibited. In other words, U.S. persons or entities may not transact with Tornado Cash or sanctioned persons. Sanctions are strict liability which means that intent to evade is not a prerequisite.

In addition, funds that now leave Tornado Cash will be associated with sanctions and therefore cryptocurrency exchanges and other crypto-businesses will be on notice that those funds are tainted.  Crypto businesses that are already screening for sanctions and following OFAC’s best practices for sanctions’ compliance (set forth below) are in compliance.

Sanctions against a decentralized service are complicated and come with challenges

But today’s designation comes with implementation and enforcement challenges. In a January 2022 interview with Coindesk, Tornado Cash co-founder Roman Semenov explained that Tornado Cash is designed so a third-party can’t control it. According to Semenov the way the protocol is designed, decentralized and autonomous much like decentralized finance (DeFi) protocols, means there’s nobody in charge. There’s no corporate office, executive team or CEO where the buck stops. Semenov said there’s no backend, and the user interface comes from an Ethereum Name Service domain – a service that represents Ethereum addresses as familiar-sounding domain names. “The protocol was specifically designed this way to be unstoppable, because it wouldn't make much sense if some third party [like developers] would have control over it. This would be the same as if someone had control over Bitcoin or Ethereum,” he told CoinDesk.

OFAC expects crypto businesses to follow best practices to mitigate the risk of sanctions’ exposure

In October 2021, OFAC issued guidance to cryptocurrency businesses. The guidance focuses on best practices for crypto businesses setting out five essential components of a compliance program including (1) management commitment, (2) risk assessment, (3) internal controls, (4) testing and auditing, and (5) training. These best practices become more important than ever when you are dealing with a designated entity the size of Tornado Cash.

OFAC outlines how crypto businesses should tailor their sanctions’ compliance programs to meet their own unique risk-based approach. Under the third category of internal controls OFAC provides additional guidance on the use of blockchain intelligence and other risk mitigation measures including:

• Transaction Monitoring and Investigation. According to OFAC, transaction monitoring and investigation software should be to identify transactions involving virtual currency wallet addresses associated with sanctioned individuals or entities located in sanctioned jurisdictions. Crypto businesses should also employ transaction monitoring and investigation tools to continually review historical information for such addresses or other identifying information to better understand their exposure to sanctions risks and identify sanctions compliance program deficiencies.
• Geolocation Tools. OFAC makes clear that it expects the use of geolocation tools and IP address blocking tools in order to ensure that a business is not transacting with sanctioned jurisdictions.
• Screen Relevant Data. OFAC expects that companies will screen customer and transactional data available to them against the SDN list and account for updates to user information.
• Know-Your-Customer Procedures. OFAC expects businesses to obtain KYC information from customers during onboarding and throughout the lifecycle of the customer relationship and use this information to conduct due diligence sufficient to mitigate the customer’s potential sanctions-related risk. Heightened due diligence, including examining customer transactional history, should be implemented for higher risks customers.

How leading crypto firms use TRM to mitigate sanctions risk

The world’s leading crypto exchanges, DeFi interfaces, and asset issuers use TRM’s Wallet Screening API to automatically screen blockchain addresses for sanctions exposure. TRM Labs is the only solution with native cross-chain analytics, enabling investigators to automatically trace sanctions-related funds across multiple blockchains. As the first blockchain intelligence firm designed for a multi-chain era, TRM has built the most trusted database to protect crypto businesses from sanctions exposure on blockchains.

TRM Labs continues to monitor today’s sanctions. All cryptocurrency addresses associated with OFAC's designation are now included in TRM's database. For further information on how these updates may affect your platform as a TRM customer, or for more information about TRM, please contact us directly here, or via contact@trmlabs.com.

Subscribe to our weekly insights here.

___

The following addresses have been added to the SDN list:

ETH 0x8589427373D6D84E98730D7795D8f6f8731FDA16;

ETH 0x722122dF12D4e14e13Ac3b6895a86e84145b6967;

ETH 0xDD4c48C0B24039969fC16D1cdF626eaB821d3384;

ETH 0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b;

ETH 0xd96f2B1c14Db8458374d9Aca76E26c3D18364307;

ETH 0x4736dCf1b7A3d580672CcE6E7c65cd5cc9cFBa9D;

ETH 0xD4B88Df4D29F5CedD6857912842cff3b20C8Cfa3;

ETH 0x910Cbd523D972eb0a6f4cAe4618aD62622b39DbF;

ETH 0xA160cdAB225685dA1d56aa342Ad8841c3b53f291;

ETH 0xFD8610d20aA15b7B2E3Be39B396a1bC3516c7144;

ETH 0xF60dD140cFf0706bAE9Cd734Ac3ae76AD9eBC32A;

ETH 0x22aaA7720ddd5388A3c0A3333430953C68f1849b;

ETH 0xBA214C1c1928a32Bffe790263E38B4Af9bFCD659;

ETH 0xb1C8094B234DcE6e03f10a5b673c1d8C69739A00;

ETH 0x527653eA119F3E6a1F5BD18fbF4714081D7B31ce;

ETH 0x58E8dCC13BE9780fC42E8723D8EaD4CF46943dF2;

ETH 0xD691F27f38B395864Ea86CfC7253969B409c362d;

ETH 0xaEaaC358560e11f52454D997AAFF2c5731B6f8a6;

ETH 0x1356c899D8C9467C7f71C195612F8A395aBf2f0a;

ETH 0xA60C772958a3eD56c1F15dD055bA37AC8e523a0D;

ETH 0x169AD27A470D064DEDE56a2D3ff727986b15D52B;

ETH 0x0836222F2B2B24A3F36f98668Ed8F0B38D1a872f;

ETH 0xF67721A2D8F736E75a49FdD7FAd2e31D8676542a;

ETH 0x9AD122c22B14202B4490eDAf288FDb3C7cb3ff5E;

ETH 0x905b63Fff465B9fFBF41DeA908CEb12478ec7601;

ETH 0x07687e702b410Fa43f4cB4Af7FA097918ffD2730;

ETH 0x94A1B5CdB22c43faab4AbEb5c74999895464Ddaf;

ETH 0xb541fc07bC7619fD4062A54d96268525cBC6FfEF;

ETH 0x12D66f87A04A9E220743712cE6d9bB1B5616B8Fc;

ETH 0x47CE0C6eD5B0Ce3d3A51fdb1C52DC66a7c3c2936;

ETH 0x23773E65ed146A459791799d01336DB287f25334;

ETH 0xD21be7248e0197Ee08E0c20D4a96DEBdaC3D20Af;

ETH 0x610B717796ad172B316836AC95a2ffad065CeaB4;

ETH 0x178169B423a011fff22B9e3F3abeA13414dDD0F1;

ETH 0xbB93e510BbCD0B7beb5A853875f9eC60275CF498;

ETH 0x2717c5e28cf931547B621a5dddb772Ab6A35B701;

ETH 0x03893a7c7463AE47D46bc7f091665f1893656003;

ETH 0xCa0840578f57fE71599D29375e16783424023357;

ETH 0x58E8dCC13BE9780fC42E8723D8EaD4CF46943dF2;

USDC 0x8589427373D6D84E98730D7795D8f6f8731FDA16;

USDC 0x722122dF12D4e14e13Ac3b6895a86e84145b6967;

USDC 0xDD4c48C0B24039969fC16D1cdF626eaB821d3384;

USDC 0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b;

USDC 0xd96f2B1c14Db8458374d9Aca76E26c3D18364307;

USDC 0x4736dCf1b7A3d580672CcE6E7c65cd5cc9cFBa9D

‍