Tornado Cash has become something of a go-to “household name” service for those looking to obfuscate the source of crypto funds, something obviously popular with criminals. The recent use of it by North Korea’s Lazarus hacking group in an attempt to launder hundreds of millions in stolen funds appears to have been a bridge too far, however, as the service has announced it will now begin blocking OFAC sanctioned addresses.
The block is at the front end, or decentralized application level, meaning that individual addresses will be blocked but that Tornado Cash itself cannot be sanctioned. The move follows a broader pattern indicating that even the more fringe elements of the DeFi market are moving toward accepting at least some level of government regulation in the face of increasing pressure.
OFAC sanctioned entities now blocked from Tornado Cash
Tornado Cash is the most familiar name in “mixing services.” The site employs its own smart contract that enables it to break the links between wallet transactions, which are generally a matter of public record allowing anyone to trace money as it moves away from where it was stolen. Ethereum traced from numerous cyber crimes has been moved to Tornado Cash to essentially be laundered.
The founders of Tornado Cash have always maintained that this is the necessary cost of providing a way to completely anonymize and decentralize legitimate crypto transactions. The developers rendered the protocol and smart contract outside of their own control, and the service has no backend or formal company structure. This means that the developers are not capable of assisting with law enforcement inquiries or investigations as they have no ability to insert themselves into transactions; this also has, at least to date, shielded them from any legal liability for processing stolen money.
The voluntary concession, which came just a day after the FBI named North Korea’s Lazarus hackers as the prime suspect in the Ronin network breach and the US Treasury Department placed sanctions on a Lazarus wallet involved in the theft, is thus surprising. Tornado Cash co-founder Roman Semenov, who in the recent past has made adamant public statements about keeping governments out of crypto, said that the app front end would be blocking OFAC sanctioned entities from using the service going forward. Tornado Cash will be drawing these addresses from a smart contract created by Chainalysis that checks wallet addresses against sanctions designations.
Tornado Cash said that the OFAC sanctioned address that was being used to process the $625 million stolen from NFT game Axie Infinity’s backing bridge had already been blocked. Tornado Cash has had little to say to the media since, but Semenov went so far on Twitter as to suggest that other services that are not blocking OFAC sanctioned wallets should face jail time.
DeFi inches toward allowing governments in
While active participation in blocking OFAC sanctioned wallets is something of a new move for the DeFi world, the formerly defiant “Wild West” attitude common in the space is showing signs of cooling off as the platforms are plagued by hacks, social engineering scams and thefts in the millions of dollars that are very difficult (if not impossible) to recover.
Tornado Cash’s blocking of OFAC sanctioned wallets follows similar regulation-oriented moves by other platforms in 2021. The 1inch exchange aggregator began geofencing United States addresses out of the system in preparation for what is expected to be a separate US-only platform that will presumably be receptive to regulation by that country. And the Uniswap exchange began banning tokens that resemble securities or derivatives that governments might attempt to claim as something that falls under their legal purview.
Opponents of blocking OFAC sanctioned entities note that it is a somewhat futile move, at least in terms of using Tornado Cash; the hackers could simply move the stolen funds to another wallet. Sanctions generally extend to wallets that interact with an already sanctioned wallet, but the process relies entirely on the Chainalysis Oracle script which would likely wait for a formal notification of sanctions on the new wallet to be issued. That could give the attackers plenty of time in which to operate.
Tornado Cash may have already had a policy of working with US officials in place prior to this, however, with reports coming out in January that it had already been given a blacklist of crypto wallets from suspected criminals and terrorists by the Office of Foreign Assets Controls.
Some countries have already ventured into some level of regulation of cryptocurrency. China has banned bitcoin entirely from the country, while Japan banned centralized exchanges in 2018 (though continuing to allow peer-to-peer trading) and has legislation in the works to restrict the issuance of stablecoins to banks and wire transfer companies. The US has yet to enact meaningful legislation, but the Securities and Exchange Commission has taken the position that some forms of crypto assets may be securities and that regulations may therefore apply to exchanges and wallets.