Tornado Cash Volume Dramatically Reduced Post Sanctions, But Illicit Actors are Still Using the Mixer
On August 8, 2022, the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC), pursuant to its cyber-related authorities, sanctioned ethereum-based cryptocurrency mixing service Tornado Cash for its use by North Korean cyber criminals to launder the stolen proceeds of hacks against cryptocurrency services. In a series of exploits including the USD 625 million attack on the Ronin bridge – a blockchain project associated with the popular play-to-earn game Axie Infinity, North Korea has stolen over USD 2 billion in the last two years. North Korea, prior to OFAC’s designation, used Tornado Cash to launder approximately a billion dollars of stolen funds.
OFAC's sanctioning of Tornado Cash succeeded in radically reducing usage of the service. According to TRM, the overall volume passing through Tornado Cash has decreased by close to 85% post OFAC sanctions. Perhaps most importantly, North Korean hackers appear to have largely abandoned the service in favor of more traditional Bitcoin mixers. While TRM's research indicates known illicit use of Tornado Cash has nearly doubled when viewed as a percentage of the service's volume, those illicit volumes are simply a larger slice of a much smaller pie.
The U.S. Treasury and Justice Departments take action against Tornado Cash
In August 2023, in the wake of a court decision upholding Treasury’s designation of Tornado Cash, OFAC added Tornado Cash founder Roman Semenov to its sanctions list in a coordinated effort with the U.S. Department of Justice which unsealed an indictment against Semenov and a co-founder of Tornado Cash, Roman Storm, who was arrested by the Federal Bureau of Investigation and the Internal Revenue Service, Criminal Investigation. The DOJ charged Semenov and Storm with conspiracy to commit money laundering, conspiracy to operate an unlicensed money transmitting business, and conspiracy to commit sanctions violations.
Prior to the August 2022 designation, some threat actors used Tornado Cash to launder illicit proceeds. In 2021, TRM Labs reported that Tornado Cash was used in over 35 platform attacks to either fund exploit wallets or obfuscate movements of stolen crypto in that year alone including exploits against Vee, Zabu, Bent, Visor and Grim Finance. As TRM reported at the time, the trend continued in 2022 with widespread use by North Korea, scammers, and other illicit actors.
All this activity led to a coordinated U.S. government effort to target Tornado Cash for its role in facilitating North Korean money laundering. So, what has been the impact of the sanctions and enforcement activity related to Tornado Cash? While TRM has reported that North Korean cybercriminals have moved to other mixers, such as Sinbad, over a year after Tornado Cash sanctions we are still seeing funds move through the mixing service.
TRM’s on-chain analysis shows dramatic decline of overall volume post-sanctions, but continued use by illicit actors
TRM analyzed the volumes of transactions going through Tornado Cash before and after it was sanctioned, highlighting the proportion of these flows that were illicit. Prior to sanctions a substantial percentage of Tornado Cash users appeared to be non-criminal. Post-sanctioning, the proportion of illicit funds has nearly doubled amidst a drastic decline in overall transaction volumes.
Specifically, overall volume passing through Tornado Cash has decreased by close to 85% post-sanctions. In the six-month period prior sanctions (February to July 2022), the total volume into Tornado Cash was over $2.8 bn. In the same period one year later (February to July 2023), the total volume into Tornado Cash dropped to $425M. In addition, while we still see illicit activity passing through Tornado Cash, total illicit volume passing through the mixer has decreased by around 77% post sanctions.
Have the government’s actions against Tornado Cash – from sanctions to criminal prosecutions – been effective? On the one hand overall volume into Tornado Cash has decreased significantly. Since Tornado Cash provides the service of “mixing” deposited funds to obfuscate the provenance, possession, and movement of cryptocurrencies, the more funds that are deposited into Tornado Cash, the more effective the service is at obfuscating their movement. However, it is also clear that illicit actors are still looking to Tornado Cash despite the government’s actions.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.