Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Insights
June 12, 2026

The TOP Takeover: Tornado Cash’s Latest Chapter

TRM Team
The TOP Takeover: Tornado Cash’s Latest Chapter

Key Takeaways

  • On June 9, 2026, an attacker withdrew roughly 664 ETH — approximately USD 2.7 million — from Tornado Cash and used those funds to seize majority control of TOP, a decentralized trade-settlement protocol on Ethereum, minting new tokens and selling them for roughly USD 1.6 million in proceeds, more than a year after OFAC delisted Tornado cash addresses from its sanctions list.
  • Before sanctions, Tornado Cash accounted for roughly half of all crypto mixing across blockchains, peaking near 59% in the second quarter of 2022. Its share collapsed to about 16% after the August 2022 designation, then recovered to more than 40% by late 2025.
  • The TOP takeover follows a recoverable, end-to-end on-chain pattern. A Tornado Cash withdrawal becomes seed capital, seed capital becomes a governance majority, the majority votes to mint protocol tokens, and the minted tokens are swapped for profit.
  • Mixer-origin funds remain a risk signal for governance-layer attacks and stay traceable through time-bound attribution, regardless of a mixer's current designation status.

What Happened

On June 9, 2026, an attacker withdrew roughly 664 ETH — approximately USD 2.7 million — from Tornado Cash and used those funds to seize majority control of TOP, a decentralized trade-settlement protocol on Ethereum, minting new tokens and selling them for roughly USD 1.6 million in proceeds. TRM traced the full sequence on-chain from the mixer withdrawals to the exploit proceeds. 

To understand why that matters, it is necessary to understand the history of Tornado Cash itself — one of the most legally contested, operationally persistent, and analytically complex subjects in crypto over the last four years.

Background: Tornado Cash and the Sanctions Debate

Tornado Cash is an Ethereum-based mixing protocol, first deployed in 2019, that breaks the on-chain link between the source of funds and their destination. Users deposit ETH into a smart contract pool and withdraw equivalent amounts to a different address. The core pool contracts are immutable. Once deployed, no individual or organization can alter, pause, or redirect them.

While used by lawful actors for an array of activities where on-chain privacy is essential, by mid-2022, the protocol had received more than USD 7 billion in lifetime deposits and accounted for close to half of all crypto mixing across blockchains, with documented use by ransomware actors, cybercriminals, and North Korea's Lazarus Group

OFAC added Tornado Cash to its Specially Designated Nationals (SDN) list in August 2022 under Executive Order 13694 — the first time the US government sanctioned open-source software rather than a person or entity. The designation was immediately contested. Critics argued it exceeded OFAC's statutory authority. Roman Storm and Roman Semenov were indicted in 2023 on money laundering and sanctions violations charges for their roles in developing the protocol. Bad actors began "dusting" — sending small amounts of Tornado Cash-tainted funds to prominent wallets to expose the compliance implications of a designation that could make innocent recipients technically non-compliant.

The Fifth Circuit ruled in Van Loon v. Department of the Treasury in November 2024 that immutable smart contracts are not "property" under the relevant statute and that OFAC had exceeded its authority. Treasury removed Tornado Cash from its sanctions list on March 21, 2025. 

The criminal prosecutions proceeded on separate legal theories. As of June 2026, the protocol is not designated and its developers are still in the midst of protracted criminal proceedings. While the policy questions around developer liability and sanctions authority over decentralized software remain unresolved, Tornado Cash remains one of the most active mixing protocols on Ethereum.

Tornado Cash Received Over USD 700 Million in 2026 YTD

When OFAC sanctioned Tornado Cash addresses in August 2022, Tornado Cash’s share of mixing collapsed to about 16%. However, the mixer recovered to more than 40% by the fourth quarter of 2025. In 2026, Tornado Cash has captured just over 20% of all mixer activity and remains the largest mixer on Ethereum-based networks, with between USD 10 million and USD 80 million in total weekly inflows.

Tornado Cash weekly inflows in 2026 (USD millions, all blockchains). The first and final weeks are partial; the week of June 8 includes the Tornado Cash withdrawal that seeded the TOP governance takeover.

Putting Tornado Cash activity into perspective, total inflows to mixers across all blockchains ran above USD 3 billion per quarter through 2021, then fell to roughly USD 1 billion per quarter for much of 2023 and 2024, and climbed back toward USD 2.7 billion per quarter in 2025. Although Wasabi led mixers by value received in 2026 year-to-date, Tornado Cash remained the second-largest mixer overall and the largest on Ethereum-based networks.

Crypto mixing contracted sharply after 2022, and Tornado Cash's share of it fell from roughly half to about 16% following the August 2022 OFAC sanctions — then both recovered through 2024–2025. All blockchains; 2026 Q2 partial.

The TOP Governance Takeover

TOP is a small Ethereum-based token with a total supply of just 16,384, governed through an Aragon DAO with voting power proportional to holdings. An address that accumulates a majority of the supply controls the outcome of any vote outright. TOP traded against WETH in a Balancer V1 liquidity pool. Its governance had no timelock — a passed proposal could be created, voted through, and executed in a single transaction, with no window for review or challenge.

With 664 ETH of Tornado Cash-withdrawn funds as seed capital, the attacker bought a governance majority, passed a proposal to mint new TOP tokens to a wallet it controlled, and sold those tokens into the decentralized exchange liquidity pool for roughly USD 1.6 million in proceeds. The entire sequence is on-chain. The takeover was the governance design working as written, in the hands of a single majority holder. The absence of a timelock made it executable in a single block, with no opportunity to identify or contest the malicious proposal before execution.

How TRM Traces Through Tornado Cash

Attackers use Tornado Cash in part because they believe the funds become untraceable.However, TRM tracks mixer-obscured flows through demixing, behavioral and timing correlation, anonymity-set analysis, and off-ramp identification. Funds withdrawn from Tornado Cash carry their exposure forward — traced and risk-flagged as they move downstream, regardless of the protocol's current legal status.

TRM has applied these methods in cases that reached a court-ready evidence standard, including the trace of the USD 190 million Nomad bridge attack and the investigation underlying the first-ever conviction for a smart contract hack in the Nirvana Finance case.

What This Means for Investigators and Compliance Teams

When funds withdrawn from Tornado Cash begin accumulating a governance majority in a token protocol, the conditions for a takeover are already in place before any malicious transaction executes. The TOP attack illustrates the full sequence — withdrawal, governance majority, minted tokens, profit — with each step recorded on-chain and traceable. Compliance and AML teams at exchanges and DeFi platforms can use that signal in their monitoring: a concentration of mixer-origin holdings against a protocol's voting supply is observable before it is exercised.

Frequently Asked Questions

  1. Is Tornado Cash still sanctioned? No. OFAC designated Tornado Cash in August 2022. It remained on the sanctions list until March 21, 2025, when Treasury delisted it following the Fifth Circuit's November 2024 ruling in Van Loon v. Department of the Treasury. As of June 2026, Tornado Cash is not designated.
  2. What share of crypto mixing does Tornado Cash account for? Before the August 2022 sanctions, Tornado Cash made up close to half of all crypto mixing across blockchains, peaking near 59% in the second quarter of 2022. Its share fell to about 16% by the end of 2022, then recovered to more than 40% by the fourth quarter of 2025. In 2026, it captures just over 20% of all mixer activity.
  3. Can funds sent through a mixer be traced? Mixers complicate attribution but do not eliminate it. TRM recovers mixer-obscured flows through demixing, timing and behavioral correlation, anonymity-set analysis, and off-ramp identification, with recoverability depending on the strength of the underlying signals in a given case.
  4. What is a governance takeover? A governance takeover occurs when a single party acquires enough of a protocol's governance tokens to control its on-chain votes, then uses that majority to pass and execute proposals in its own interest — such as minting new tokens.
  5. Was TOP's protocol at fault? This analysis describes what the on-chain data shows and assigns no institutional fault. The sequence is presented as a documented pattern of attacker behavior.
This is some text inside of a div block.

Related posts

arrow right
BLOG
October 11, 2023

Tornado Cash Volume Dramatically Reduced Post Sanctions, But Illicit Actors are Still Using the Mixer

arrow right
White Paper
October 31, 2024

Four Ways TRM Improves Compliance in the Modern Sanctions Enforcement Era

arrow right
WEBINAR
July 3, 2024

Trends and Tactics to Strengthen Your Sanctions Program

arrow right
WEBINAR
March 19, 2026

Tackling Indirect Exposure with a Deep Dive on Sanctions Evasion Typologies

No posts to show
arrow right
GUIDE
July 19, 2024

Detecting Five Common Sanctions Evasion Techniques

arrow right
TRM Talks
November 8, 2022

Implementing a Sanctions Compliance Program for Digital Assets

Subscribe and stay up to date with our insights
No items found.
Digital illustration showing a pie chart, masked criminal figure, and crypto coin symbol on a data grid background—representing crypto crime analytics.
REPORT
See the trends and typologies that shaped the illicit crypto ecosystem in 2025
READ THE REPORT →
Blue diamond with a circle overlayed in white on a dark blue background
REPORT
Unlocking more clarity for institutional adoption with key crypto policy shifts in 2025
READ THE REPORT →
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT