US Sanctions on Crypto Mixers: The Tornado Cash Case Explained

Tornado Cash isn’t just another crypto tool-it’s the first piece of open-source software ever placed on the U.S. government’s sanctions list. On August 8, 2022, the Office of Foreign Assets Control (OFAC) froze access to the Ethereum-based mixer, declaring it a threat to national security. The move sent shockwaves through the crypto world. Why? Because Tornado Cash wasn’t a company. It wasn’t even run by people anymore. It was code-immutable, decentralized, and running on a public blockchain. And the U.S. government had just decided that code could be illegal.

How Tornado Cash Worked

Tornado Cash wasn’t designed to hide stolen money. It was built to protect privacy. Launched in 2019, it let users deposit ETH or other tokens into anonymity pools and later withdraw them from a different address. Think of it like dropping cash into a communal piggy bank with dozens of others, then pulling out an equal amount later-but no one could tell which dollar came from whom.

The magic was in zero-knowledge proofs. These are mathematical tricks that prove you own the funds without revealing where they came from. The system supported deposits in 0.1 ETH, 1 ETH, 10 ETH, and 100 ETH chunks. Users didn’t need to sign up. No KYC. No ID. Just a wallet and a transaction. Relayers-third-party services-could even submit withdrawal requests on your behalf, so your IP address never touched the protocol.

This wasn’t a loophole. It was a feature. Privacy isn’t just for criminals. It’s for journalists in authoritarian countries, activists, people avoiding surveillance, or anyone who doesn’t want their financial history tracked by corporations or governments.

Why the U.S. Targeted It

The U.S. Treasury didn’t act because Tornado Cash was evil. They acted because it was used-repeatedly-to launder money from cyberheists.

According to official reports, the platform processed over $7 billion in transactions since its launch. Of that, at least $455 million was traced back to North Korea’s Lazarus Group, a state-backed hacking team already under U.S. sanctions. One single heist-the June 2022 Harmony Bridge attack-funneled $96 million through Tornado Cash. Another $7.8 million came from the Nomad Bridge exploit in August 2022.

Brian E. Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence, put it bluntly: "Tornado Cash has repeatedly failed to impose effective controls... without basic measures to address its risks." The sanctions were issued under Executive Order 13694, which targets cyber-enabled financial threats. Tornado Cash was added to the Specially Designated Nationals (SDN) list. That meant:

• U.S. citizens and companies couldn’t interact with it in any way
• All assets tied to Tornado Cash addresses under U.S. jurisdiction were frozen
• Even using the protocol could lead to civil or criminal penalties

The effect was immediate. Exchanges like Coinbase and Kraken blocked all transactions to Tornado Cash addresses. Wallets like MetaMask started warning users if they tried to interact with the protocol. Developers scrambled to update their software to avoid legal exposure.

The Legal Firestorm

The sanctions weren’t just controversial-they were legally unprecedented. No one had ever sanctioned software before. Not because it was hard, but because no one thought it was possible.

Legal experts immediately raised red flags. Can you sanction a smart contract? What if no one controls it? What if the code runs on thousands of computers worldwide?

In 2023, lawsuits were filed in multiple federal courts. Critics argued OFAC overstepped its authority. The Administrative Procedure Act requires agencies to act within their statutory limits. Sanctioning code that operates autonomously, without a legal person behind it, might not be lawful.

The biggest test came in August 2025, when Roman Storm, one of Tornado Cash’s co-founders, stood trial in New York. He wasn’t accused of stealing money. He was accused of helping others steal it by building a tool.

The jury convicted him on one count: conspiracy to operate an unlicensed money transmitting business. But they couldn’t agree on the bigger charges-money laundering or violating sanctions. That deadlock spoke volumes. Even in a courtroom, people couldn’t agree: was he guilty of creating a dangerous tool… or just a tool that was misused?

What Happened After the Sanctions

Here’s the twist: the sanctions didn’t shut Tornado Cash down.

The smart contracts kept running. People still used them. Hackers still laundered money through them. The protocol didn’t care about U.S. laws. It ran on Ethereum, a global, permissionless network. No one could turn it off.

In fact, data showed that after the sanctions, exploiters didn’t stop using Tornado Cash-they just adapted. They used relayers from non-U.S. jurisdictions. They moved funds through bridges. They layered it with other mixers. The platform remained one of the most popular tools for obfuscating stolen crypto.

Then, on March 21, 2025, reports surfaced that OFAC had lifted the sanctions. TORN, the platform’s native token, spiked from $8 to $15 in hours. But the lift wasn’t official. No press release. No legal document. Just whispers. And even if it was true, the damage was done.

Exchanges still blocked the addresses. Wallets still warned users. Developers still avoided privacy tools. The chilling effect lasted longer than the sanctions.

Who Really Got Hurt?

The biggest losers weren’t criminals. They were everyday users.

A person in Venezuela using Tornado Cash to protect their savings from hyperinflation? Blocked.

A whistleblower in Poland sending anonymous tips via crypto? Blocked.

A developer building a privacy-focused DeFi app? Now terrified of being prosecuted.

The U.S. government didn’t just target a mixer. They targeted the right to financial privacy in the digital age. And they did it without a court order, without a trial, and without a clear legal framework.

Privacy isn’t a crime. But in the eyes of regulators, tools that enable privacy-especially when criminals use them-are now suspect.

The Bigger Picture

The Tornado Cash case isn’t over. It’s just beginning.

It’s forced the world to ask: How do you regulate something that can’t be controlled? How do you stop bad actors without punishing everyone else? And who gets to decide what’s a privacy tool and what’s a money laundering tool?

Other countries are watching. Some, like the EU and Singapore, are moving toward stricter rules on mixers. Others, like Switzerland and Portugal, are exploring regulatory sandboxes that allow privacy tools under strict oversight.

Meanwhile, new protocols are being built. Some are adding compliance features-like self-reporting mechanisms or optional KYC. Others are going fully decentralized, with no developers, no team, no website. Just code on-chain.

The future of crypto privacy isn’t about shutting down Tornado Cash. It’s about building something that can’t be shut down.

What This Means for You

If you’re a crypto user in the U.S., avoid any mixer-even if it’s not on the SDN list. The rules are vague, the penalties are severe, and regulators are watching.

If you’re a developer, tread carefully. Building a privacy tool now carries legal risk. Even if your intent is clean, your code could be used for crime. That’s the new reality.

If you’re outside the U.S., you still need to know: your exchange might be blocking Tornado Cash addresses anyway. Compliance is global now.

And if you believe in financial privacy? You’re not alone. But you’re also not safe. The line between protection and criminality is being drawn in real time-and it’s not being drawn by technologists. It’s being drawn by lawyers and regulators.

The Tornado Cash case didn’t end with a ban. It ended with a warning: privacy has a price. And that price might be higher than you think.