Tornado Cash founded in 2019, is a privacy mixing protocol that conceals transactions on Ethereum. When a user sends crypto (Ethereum or other Ethereum-based deposit) into it, it pools and mixes it with transaction from other users, making it harder to follow the transaction trail before outputting it to a new public address / destination where the user can withdraw sent crypto successfully without a trace. This way, asset privacy is achieved as the final withdrawal address cannot be linked to the originating address to which the withdrawn asset was initially sent to the mixer service.
Tornado Cash has seen billions of transactions passed through it in the past three years since its creation. Yesterday, August 8, 2022, the US Department of Treasury through its Office of Foreign Asset Control (OFAC) sanctioned Tornado Cash in accordance with Executive Order E.O 13694 on claims its continued use which assist criminals to launder money, constitutes a threat to the United States security. In its report, it further claimed, cyber criminals and malicious entities have used the protocol to launder more than $7 billion to date since its launch. In stark contrast, Elliptic analytics puts this figure at ~$1.5 billion. By these sanctions, businesses and citizens of the United States are prohibited from using the privacy tool and assets in Tornado Cash have been ordered to be frozen.
What has been said?
Though hailed for its role in preserving privacy of crypto transactions through decentralised means, Tornado Cash has come under increased scrutiny lately as hackers of the Wormhole Bridge, Ronin Bridge, Harmony One and lately Nomad Bridge, have used the mixer concealing service in one way or the other in their attempt to cash out some of the stolen funds. On-chain analysis from leading crypto data analytic firm Nansen and Elliptic have confirmed this.
There is a noticeable pattern in which the privacy tool seems to be the preferred channel used by hackers to funnel their crypto exploits through. In light of this, Ari Redbord, head of legal and government affairs at analytics firm TRM Labs asserts,
Tornado Cash is the “go-to-mixer” for cyber criminals who want to launder money from proceeds of their crime.
Toeing the Line
Intense pressure has seen Tornado Cash add Chainalysis compliance tool to the front-end of it’s service back in April, a move which raised eyebrows of crypto privacy freaks, in a bid to stop OFAC blacklisted crypto wallets from using the privacy concealing dapp. Other measures it incorporated includes a tool called Tornado Cash Note which requires users to state the source of their funds. This tool generates a note at the time of deposit which is required at the time of withdrawal to verify transactions and prove origin of funds. In addition, it enforced IP blocking of certain addresses censored by the United States from using the service. These were all measures put in place to balance privacy and anonymity with compliance to international financial regulatory laws.
However, the United States top dog OFAC believes the Tornado team has not done enough to prevent bad actors and criminals from using its service, hence the ban yesterday. The latest sanctions after first punishing blender.io (blender) earlier in the year for allegedly helping the infamous Lazurus hacking group mix some of the Ronin Bridge hack funds (~$20.5 Million), is seen by many in the crypto space as a crackdown on privacy preserving protocols especially the way it went about it. As a fallout, the GitHub account of Tonardo Cash and those of its contributors have been suspended. GitHub went further to remove its repositories from its platform. Of note, Tonardo Cash website has gone down too hours after the sanctions as companies have begun a clamp down on the service in compliance with US Treasury ban.
Circle affected by the US Treasury ban as a result of associated wallets in Tornado Cash, have followed suit and froze $75,000 USDC stablecoins in the blacklisted Tornado addresses updated in OFAC Special Designated Nationals (SDN) list. These means frozen addresses can't send or withdraw funds on-chain. The regulated USDC issuer does this by calling a “blacklist(address investor)” function.
Decentralisation Threatened
With Treasury eyes firmly on privacy protocols and the ensuing ban on all Tornado Cash resources, which includes API providers Infura and Alchemy blocking access to the service as of today, there has been a public outcry in crypto communities condemning the ban. An advocacy group, Coin Center criticised the sanctions and wonders why a privacy tool that serves a good purpose and could be used by anyone, be singled out for a ban. According to its statement,
a smart contract is a robot and not a person.
It questions how adding Tornado Cash to OFAC updated SDN list is different this time from its past actions.
The Treasury Under Secretary for Terrorism and Financial Intelligence, Brian Nelson said yesterday as part of the sanctions on Tornado Cash,
Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.
One thing is certain, privacy enabling protocols will continue to face run-ins with regulators as it embraces decentralisation and gives users the power to anonymise transactions. In the foreseeable future, they might have to be a middle ground where use of privacy service is balanced with compliance by users in various jurisdiction to prevent abuse of mixer service by bad actors and malicious users.
It's a tough moment for crypto communities. The idea of decentralisation to break anons free from organised establishment just hit a brick wall and this might not be the end. There is no arguing the fact crypto has forever disrupted legacy systems. It is a tool for good and can make our world better than it is. Whether it is used by cyber criminals or rogue nation states sponsored hacking group, is another matter and one we collectively need to address to ensure evil doesn't prevail against good.