US Sanctions on Crypto Mixers: What the Tornado Cash Case Really Means

What Happened to Tornado Cash?

On August 8, 2022, the U.S. government did something no one had ever done before: it sanctioned a piece of software. Not a company. Not a person. Not a bank. But a decentralized, open-source smart contract on the Ethereum blockchain called Tornado Cash. The Office of Foreign Assets Control (OFAC) added it to the Specially Designated Nationals (SDN) list, making it illegal for any U.S. person or entity to interact with it. This wasn’t just a warning. It was a freeze. Any funds tied to Tornado Cash addresses under U.S. jurisdiction were locked. Developers, exchanges, and even individual users could face criminal charges for using it.

Tornado Cash wasn’t a business. It didn’t have a CEO, an office, or a customer service line. It was code. Deployed on the blockchain in 2019, it let people mix their Ethereum and other tokens by pooling them with others. After a delay, users could withdraw the same amount from a different address-breaking the link between sender and receiver. No ID needed. No KYC. No paperwork. Just math, cryptography, and zero-knowledge proofs.

Why Did the U.S. Target It?

The U.S. Treasury didn’t go after Tornado Cash because it was popular. They went after it because it was used by criminals-and a lot of them.

According to official reports, Tornado Cash was used to launder over $7 billion in crypto since its launch. The biggest culprit? North Korea’s Lazarus Group. This state-backed hacking team stole more than $455 million from crypto bridges and exchanges, and a huge chunk of that cash-$96 million from the Harmony Bridge hack in June 2022, and $7.8 million from the Nomad hack in August 2022-went through Tornado Cash. The Treasury said the mixer had repeatedly failed to put in basic safeguards to stop this.

What made it worse? The platform didn’t just serve criminals. It was the go-to tool for them. Unlike other mixers that might have had occasional bad actors, Tornado Cash became the default option for laundering stolen funds. That’s what pushed regulators past the line. They didn’t ban all privacy tools. They banned the one that was clearly being abused at scale.

Why Was This So Controversial?

Here’s where things got messy. Privacy advocates, developers, and even some lawyers argued: this isn’t about crime. It’s about control.

Tornado Cash was open-source. That means anyone could view, copy, or run the code. It wasn’t hosted on a server. It didn’t need a company to keep it running. Once deployed, it worked on its own-like a vending machine that never turns off. Sanctioning it was like trying to outlaw a public park because someone once robbed a person inside it. The park still exists. People still walk through it. The crime happened there, but the park isn’t the criminal.

And that’s the legal gray zone. OFAC has always targeted people and organizations. But Tornado Cash was code. No one owned it. No one controlled it. So who was actually guilty? The developers? The users? The people who just wanted to hide their transaction history from advertisers or hackers?

One of the co-founders, Roman Storm, was put on trial in August 2025. The jury convicted him of running an unlicensed money transmitter-but couldn’t agree on the bigger charges: money laundering and violating sanctions. That split verdict says a lot. The system isn’t sure if the developer is responsible for how strangers use his code.

What Did the Sanctions Actually Do?

On paper, the sanctions were clear: no U.S. person can interact with Tornado Cash. That includes exchanges like Coinbase and Kraken, which had to block any transaction going to or from Tornado Cash addresses. Wallets like MetaMask started warning users if they tried to send funds to a sanctioned address. Banks froze accounts linked to these transactions.

But here’s the catch: the smart contracts kept running. The blockchain doesn’t care about U.S. laws. People outside the U.S. could still use it. Developers in Europe, Asia, and Latin America kept building tools to interact with it. Even some U.S.-based users found ways around it-using non-U.S. exchanges, running their own nodes, or using relayers to submit transactions anonymously.

And the data shows it didn’t stop criminals. A study by Chainalysis in early 2025 found that despite the sanctions, the volume of laundered funds through Tornado Cash barely dropped. The bad actors just adapted. They used smaller, less-known mixers. They split their funds across multiple protocols. They waited longer between deposit and withdrawal. The system was too decentralized to shut down with a single legal order.

What About Privacy? Is This the End of Crypto Privacy?

This is the real fear. If the U.S. can sanction a privacy tool just because criminals use it, what’s next? What if they go after Zcash? Or Monero? Or even wallet apps that let you hide your balance?

Privacy isn’t just for criminals. It’s for whistleblowers. Journalists. Activists. People in authoritarian countries. People who don’t want their financial history tracked by corporations or governments. A lot of legitimate users used Tornado Cash for exactly that reason.

Some developers responded by building new tools that try to walk the line: privacy protocols that include optional compliance features. For example, some newer mixers now allow users to opt into regulatory reporting if they want to-giving law enforcement a backdoor while still protecting ordinary users who don’t want to disclose anything.

But that’s a slippery slope. If you build a backdoor, you’re no longer offering true privacy. And once you have one, it can be exploited by hackers or abused by governments. The tension isn’t going away.

Did the Sanctions Get Lifted?

On March 21, 2025, there was a surprise. Reports surfaced that OFAC had removed Tornado Cash from the SDN list. The TORN token, the platform’s governance token, jumped from $8 to $15 in a single day. People thought the U.S. had changed its mind.

But here’s the truth: the sanctions weren’t fully lifted. The U.S. didn’t reverse its position. What happened was a technical adjustment. OFAC removed the specific smart contract addresses from the list-but kept the underlying legal framework in place. The platform is still considered high-risk. Exchanges still block it. Developers still face liability. The legal risk hasn’t disappeared. The market reacted because people hoped for change. But the rules haven’t changed.

What Does This Mean for You?

If you’re a regular crypto user in the U.S., you probably won’t ever use Tornado Cash. You don’t need to. Most people don’t. But you should understand what this case means for the future of your money.

This is the first time a government treated software like a bank. And it worked-at least for a while. It scared off big exchanges. It pushed developers to rethink privacy tools. It made regulators feel like they had power over code.

But it also showed how weak that power really is. You can’t shut down a blockchain with a lawsuit. You can’t arrest a smart contract. And you can’t stop people from building new tools that are even harder to track.

The real question isn’t whether Tornado Cash should be banned. It’s this: can we create a world where people have real financial privacy without giving criminals a free pass? So far, the U.S. chose to punish the tool instead of fixing the system. That might be the biggest mistake of all.

What Comes Next?

Regulators are still scrambling. The European Union is drafting its own rules for crypto mixers. Singapore is taking a hands-off approach. Canada is testing a licensing system for privacy tools. Meanwhile, developers are building new protocols that don’t rely on centralized oversight at all.

The next big shift won’t come from a government press release. It’ll come from code. New privacy layers. New blockchains. New ways to prove you’re not a criminal without revealing who you are.

For now, Tornado Cash remains a symbol. Of the power of regulation. Of the limits of control. And of the stubborn reality that some things-like privacy, freedom, and code-can’t be stopped by laws alone.