Ethereum's best known privacy tool falls under U.S. sanctions
- Brady Dale, author ofAxios Crypto
Illustration: Shoshana Gordon/Axios
Tornado Cash has been added to Office of Foreign Asset Control's (OFAC) list of sanctioned internet services, shutting down a key privacy tool for Ethereum users, one frequently used by cybercriminals.
Why it matters: Tornado Cash is a non-custodial mixer that runs on the Ethereum blockchain. It allows an Ethereum address to receive funds without revealing who gave it to them (like cash does).
- There are currently $482 million in crypto assets sitting in Tornado Cash pools, according to DefiLlama.
State of play: Americans who try to use Tornado Cash will be in violation of the law.
- It's on a public blockchain, so it can't be shut off directly. Any American who tries to use it, though, might get a visit from authorities. The OFAC site lists a series of Ethereum addresses associated with each version of Tornado Cash.
What they're saying: “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks," Treasury under secretary Brian Nelson said in a statement.
- The statement went on to call mixers like Tornado Cash a threat to U.S. national security.
Yes, but: "This is a limit on any American who wishes to use her own money and a freely available software tool to maintain her own privacy—including for otherwise entirely legal and personal reasons," staff of the crypto think tank, Coin Center, wrote in a statement.
How it works: Tornado Cash collects assets in a pool. Those assets can later be claimed by the depositor or someone else. Using cryptography, Tornado Cash only knows that the claimant has the right to claim some of the underlying funds, but not which depositor the claim corresponds to.
- This allows the claimant to break the chain of custody for crypto assets.
- The longer funds sit inside Tornado Cash, the more secure each withdrawal becomes, so Tornado Cash rewards users for letting funds sit by giving them awards of its TORN token for doing so.
- Tornado Cash is a smart contract system, an internet robot, such that it needs no active human involvement on a day-to-day basis to operate.
Flashback: In April, OFAC announced sanctions against the Lazarus group as a front for cybercrime operations out of North Korea.
- The group used Tornado Cash to launder over $600 million in crypto assets stolen from Axie Infinity's Ronin bridge.
- It's one of several instances the agency cited of cybercriminals using the tool to cover their tracks.
The bottom line: Treasury noted in its statement that if it becomes satisfied that Tornado Cash has adequately addressed its concerns, it can then be removed from the OFAC list.