- OFAC sanctioned Ethereum-based cryptocurrency mixer Tornado Cash, which has been used by North Korean cyber-criminals and other threat actors to launder the proceeds of hacks and other illicit activity
- Tornado Cash is a favorite money laundering tool for North Korean cybercriminals who, according to analysis by TRM Labs, have used the mixer to launder stolen funds in ten of their most recent crypto heists at an estimated value of nearly $1 billion, including in the $620 million Ronin Bridge hack
- Tornado Cash has been central to many other large cryptocurrency heists
- The U.S. government has been targeting mixers that launder proceeds of hacks and illicit activity — blender.io, Helix and Bitcoin Fog
- As a result of today’s action, all property and interests in property of Tornado Cash in the U.S. is blocked and U.S. persons or entities may not transact with Tornado Cash or sanctioned persons
- Today’s designation of Tornado Cash — while targeted for its involvement in North Korea’s cybercriminal activity — reopens the question of the government’s view of crypto mixers
- OFAC has provided sanctions compliance best practices for crypto businesses
- As the first blockchain intelligence firm for the multi-chain era, TRM has built the most trusted database to protect crypto businesses from sanctions’ exposure.
Into the eye of a tornado...
Today the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC), pursuant to its cyber-related authorities, sanctioned cryptocurrency mixing service Tornado Cash which has been used by North Korean cyber criminals, such as state sponsored Lazarus Group, to support cyber activities and launder the stolen proceeds of hacks against cryptocurrency businesses. In a series of exploits including the March 23, 2022, attack on the Ronin bridge — a blockchain project associated with the popular play-to-earn game Axie Infinity — North Korea has used Tornado Cash to move illicit funds in an attempt to obfuscate transactions. According to Treasury, Tornado Cash, since its creation in 2019, has laundered $7 billion in illicit proceeds.
Today’s sanctioning of Tornado Cash — also referred to as a designation — is a watershed moment not only for the crypto industry but also for financial sanctions overall as it targets a widely used mixing service, potentially answering the question of whether or not mixing services writ large will be allowed to operate as long as they remain susceptible to illicit actors.
Tornado Cash: the privacy tool of choice
Tornado Cash is a tool that allows users to privately transact on Ethereum and hide their ETH transaction history. As a decentralized mixer protocol, or anonymization service, Tornado Cash pools cryptocurrency from multiple users obfuscate transactions by masking the origins of the funds. Mixing services are used by both legitimate actors who want to maintain the anonymity of their funds, and by criminals who use mixers to launder money and obfuscate the origin of illicit proceeds by mixing them with legal ones.
Tornado Cash’s code is designed to combine a user’s crypto with a pool of other Tornado Cash’s users’ crypto in a smart contract. Tornado Cash exists only through a series of smart contracts which are controlled and governed by a largely anonymous community of token holders (called TORN), who collaborate through a Decentralized Autonomous Organization.
Tornado Cash’s official site refers to itself as a “a fully decentralized protocol for private transactions on Ethereum,” and explains that the service, “...improves transaction privacy by breaking the on-chain link between source and destination addresses. It uses a smart contract that accepts ETH deposits that can be withdrawn by a different address. To preserve privacy a relayer can be used to withdraw to an address with no ETH balance. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.”
After the explosion of DeFi in 2021 and 2022, Tornado Cash became the mixer of choice following thefts on Ethereum and other EVM blockchains. Tornado Cash is popular with hackers. According to TRM’s analysis, over 41% of all funds deposited to Tornado Cash in June and July 2022 were tied to hacks and other thefts.
Tornado Cash is a favorite money laundering tool for North Korea’s Lazarus Group
North Korean actors have used Tornado Cash to launder an estimated $900 million of stolen funds, including in the $620 million Ronin Bridge hack in March 2022, according to an analysis by TRM Labs. Cryptocurrency heists are a key method to fund the cash-strapped government - Pyongyang earned only $89 million in official exports in 2020, according to South Korea’s government-run statistical agency. According to the United Nations, North Korea uses these stolen assets to fund its nuclear and ballistic missile programs.
According to analysis by TRM Labs, North Korean cyber actors used Tornado Cash in all ten of its most recent cryptocurrency heists. Tornado Cash helped North Korea more easily “cash out” to traditional currencies, which its government uses to fund weapons proliferation and other destabilizing activity. Since launch, Tornado.cash has received 3.5M ETH in deposits, worth approximately $7.6B USD. Across all tokens, it has received $8.5B in total deposits.
As demonstrated by the Ronin hack, Lazarus Group commonly uses multiple mixing services, including Tornado Cash, and other sophisticated obfuscation techniques. Given that North Korea is ultimately not concerned with being caught, Lazarus often moves funds quickly to an off ramp rather than engage in lengthy and expensive obfuscation techniques. For further details on North Korea’ cyberattacks on cryptocurrency businesses, please see this February report by the Center for New American Security, in conjunction with TRM, and check out this series of TRM Talks with North Korea experts on Lazarus group and the continued attacks on cryptocurrency businesses.
Tornado Cash is utilized by wide variety of illicit actors
Beyond Ronin, Tornado cash has been used to launder the proceeds in a number of other high profile hacks including the April 2022 Beanstalk hack in which a hacker used a flash loan attack to steal about $180 million of cryptocurrency from Beanstalk, a decentralized finance (DeFi) project. The hacker subsequently laundered all of the stolen funds through Tornado Cash.
And, it is not just the largest hacks. Smaller heists are also using Tornado Cash. In July 2022, a hacker used a reentry attack to steal 1,300 ETH, worth $1.4 million at the time, from OMNI, a non-fungible token (NFT) money market platform and immediately sent the stolen cryptocurrency to Tornado Cash. Other examples include the Bent Finance attack in which a hacker sent approximately 240 Ethereum through Tornado Cash following the exploit on December 20, 2021, and a day later, the Visor Finance attack in which the hacker sent approximately 110 Ethereum through Tornado Cash. On January 8, 2022, LCX, a Liechtenstein-based exchange announced that it had suffered a hack to one of its hot wallets. The hackers swiftly moved converted ETH to Tornado.Cash. In total, the operation from theft to deposit at Tornado was complete within 1.5 hours of the initial hack.
The U.S. government has been targeting mixers that launder proceeds of hacks and illicit activity — from blender.io to Helix and Bitcoin Fog
In May 2022, OFAC potentially previewed today’s designation when it added bitcoin mixer blender.io to its list of Specially Designated Nationals (SDN). Blender.io, at the time the only sanctioned mixing service, was sanctioned for its use by North Korea in “processing over $20.5 million of the illicit proceeds” stolen in the Ronin exploit. In its announcement, Treasury explained that, “The virtual currency mixers that assist criminals are a threat to U.S. national security interests. Treasury will continue to investigate the use of mixers for illicit purposes and consider the range of authorities.”
While Blender was the first time OFAC used sanctions against a mixing service, Treasury and the U.S. Department of Justice have targeted mixers that facilitate illicit activity before. In February 2020, Larry Harmon was arrested for his operation of Helix, a darknet-based cryptocurrency laundering service. Harmon was charged with money laundering conspiracy for advertising Helix on the darknet. In Harmon, the indictment explains that Helix partnered with darknet market AlphaBay to provide bitcoin laundering services for AlphaBay customers. Harmon has pled guilty to money laundering conspiracy and is awaiting sentencing. The Treasury Department Financial Crimes Enforcement Network (FinCEN) also assessed a $60 million penalty against Harmon for operating Helix.
Similarly, on April 27, 2021, U.S. law enforcement arrested Roman Sterlingov, a 32-year-old dual Swedish Russian national, as he passed through Los Angeles International Airport. Sterlingov was arrested on criminal charges identical to Harmon for money laundering conspiracy related to his role as administrator of bitcoin mixer Bitcoin Fog. According to the charges in the criminal complaint, of the $336 million Bitcoin Fog laundered over a decade, at least $78 million passed through the mixing service to darknet markets like Silk Road, Agora, and AlphaBay. The Bitcoin Fog case is pending. For a deep dive into Helix and Bitcoin Fog check out TRM Insights.
Treasury has also issued guidance on illicit financing risks associated with mixers and other anonymity-enhancing technologies in the 2022 National Money Laundering Risk Assessment and going back to 2020, FinCEN stated in an email to Coindesk that “mixers such as Tornado Cash could fall under the definition of a money transmitter, and therefore have ‘obligations’ set by the Bank Secrecy Act (BSA).”
The impact of OFAC’s sanctions and what they mean for crypto businesses
So what does all this mean? As a result of today’s action, all property and interests in property of Tornado Cash, that is in the United States or in the possession or control of U.S. persons, is blocked and must be reported to OFAC. In addition, all transactions by U.S. persons, or within or transiting the U.S. financial system, that involve the property or interests of designated entities or persons are broadly prohibited. In other words, U.S. persons or entities may not transact with Tornado Cash or sanctioned persons. Sanctions are strict liability which means that intent to evade is not a prerequisite.
In addition, funds that now leave Tornado Cash will be associated with sanctions and therefore cryptocurrency exchanges and other crypto-businesses will be on notice that those funds are tainted. Crypto businesses that are already screening for sanctions and following OFAC’s best practices for sanctions’ compliance (set forth below) are in compliance.
Sanctions against a decentralized service are complicated and come with challenges
But today’s designation comes with implementation and enforcement challenges. In a January 2022 interview with Coindesk, Tornado Cash co-founder Roman Semenov explained that Tornado Cash is designed so a third-party can’t control it. According to Semenov the way the protocol is designed, decentralized and autonomous much like decentralized finance (DeFi) protocols, means there’s nobody in charge. There’s no corporate office, executive team or CEO where the buck stops. Semenov said there’s no backend, and the user interface comes from an Ethereum Name Service domain – a service that represents Ethereum addresses as familiar-sounding domain names. “The protocol was specifically designed this way to be unstoppable, because it wouldn't make much sense if some third party [like developers] would have control over it. This would be the same as if someone had control over Bitcoin or Ethereum,” he told CoinDesk.
OFAC expects crypto businesses to follow best practices to mitigate the risk of sanctions’ exposure
In October 2021, OFAC issued guidance to cryptocurrency businesses. The guidance focuses on best practices for crypto businesses setting out five essential components of a compliance program including (1) management commitment, (2) risk assessment, (3) internal controls, (4) testing and auditing, and (5) training. These best practices become more important than ever when you are dealing with a designated entity the size of Tornado Cash.
OFAC outlines how crypto businesses should tailor their sanctions’ compliance programs to meet their own unique risk-based approach. Under the third category of internal controls OFAC provides additional guidance on the use of blockchain intelligence and other risk mitigation measures including:
- Transaction Monitoring and Investigation. According to OFAC, transaction monitoring and investigation software should be to identify transactions involving virtual currency wallet addresses associated with sanctioned individuals or entities located in sanctioned jurisdictions. Crypto businesses should also employ transaction monitoring and investigation tools to continually review historical information for such addresses or other identifying information to better understand their exposure to sanctions risks and identify sanctions compliance program deficiencies.
- Geolocation Tools. OFAC makes clear that it expects the use of geolocation tools and IP address blocking tools in order to ensure that a business is not transacting with sanctioned jurisdictions.
- Screen Relevant Data. OFAC expects that companies will screen customer and transactional data available to them against the SDN list and account for updates to user information.
- Know-Your-Customer Procedures. OFAC expects businesses to obtain KYC information from customers during onboarding and throughout the lifecycle of the customer relationship and use this information to conduct due diligence sufficient to mitigate the customer’s potential sanctions-related risk. Heightened due diligence, including examining customer transactional history, should be implemented for higher risks customers.
How leading crypto firms use TRM to mitigate sanctions risk
The world’s leading crypto exchanges, DeFi interfaces, and asset issuers use TRM’s Wallet Screening API to automatically screen blockchain addresses for sanctions exposure. TRM Labs is the only solution with native cross-chain analytics, enabling investigators to automatically trace sanctions-related funds across multiple blockchains. As the first blockchain intelligence firm designed for a multi-chain era, TRM has built the most trusted database to protect crypto businesses from sanctions exposure on blockchains.
TRM Labs continues to monitor today’s sanctions. All cryptocurrency addresses associated with OFAC's designation are now included in TRM's database. For further information on how these updates may affect your platform as a TRM customer, or for more information about TRM, please contact us directly here, or via firstname.lastname@example.org.
Subscribe to our weekly insights here.
The following addresses have been added to the SDN list:
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.