Blowing away the cybercriminals… OFAC is getting into the eye of the storm again by blacklisting Tornado Cash. Are they being too heavy-handed?
Yesterday, Monday, August 8, 2022, the United States Office of Foreign Assets Control (OFAC) announced the sanctioning of Tornado Cash, a popular cryptocurrency mixing service. This marks the second occasion that OFAC has used financial sanctions against a crypto mixing service. The last time this happened was with Blender.io in May 2022.
For context, this effort is typically reserved to control the most serious global criminal gangs, terrorist organizations or nation states as an expression of ‘hard power’.
Crypto mixers have always had a tough relationship with Law Enforcement Agencies and Blockchain Intelligence firms. There is a prevailing view among these communities that mixers are ‘evil’ and run for criminal purposes only, though similar arguments were made about data in transit encryption during the early days of the internet.
In this blog post, we consider why this sanction happened, and what we think will happen next. For certain, the impacts of this action are likely to be felt for some time.
Who is Tornado Cash and how did we get to sanctioning mixers in the first place?
Tornado Cash (tornado.cash) describes itself as ‘a fully decentralized protocol for private transactions on Ethereum’. It claims to ‘improves transaction privacy by breaking the onchain link between source and destination addresses.’
Tornado gained notoriety for becoming the de-facto destination for stolen funds, particularly those taken by the North Korean hacking group known as Lazarus following the Ronin bridge hack in March 2022. Our research shows that as much as 95% of all funds publicly associated with Lazarus were sent to Tornado Cash. This also represented over 4% of all funds received by the service.
Lazarus was not the only group that relied on Tornado Cash to conceal the source of funds; many other large-scale heists used their service, as well as scams. For this, and many other reasons, there won’t be many in the Law Enforcement community who will be sad to see them go.
Following some prior public chastising, Tornado had stated that they would abide by sanctions and took steps to implement a solution. Despite these efforts, it was not effective.
Crypto Mixers 101: how do they work?
Mixers can broadly fall into two categories: custodial, and non-custodial. Custodial services rely on a trusted third party to provide different, ‘clean’ coins in exchange for the ones sent to it. This requires the user to surrender their funds in the hope they will be returned – a precarious scenario and often used by scammers.
Alternatively, thanks to the Ethereum Virtual Machine and its ability to run Smart Contracts, there are non-custodial services, where a user simply provides deposit funds to a mixer contract and specifies the address to receive funds after mixing.
In lay terms, a mixer can be seen as a large bucket of banknotes that is constantly stirring. To use the mixer, you deposit some notes and take out the same value (less a fee) from the bucket using other ones, breaking the connection between you and the original currency. The origin of funds can now only be termed as the ‘bucket’.
Just the right blend of good and evil for success
There are two key features that are essential to all mixers: Trust and Liquidity.
A mixer is a high-risk service for the user if custodial or not; they are sending funds to an entity in the hope that they will be returned.
A mixer needs enough funds coming in to send out again; a supply of new funds to replace the old.
Tornado Cash had both in ample amount; its developers were public, code audited, and pockets deep. To that end, the hole left by the sanctioning of Tornado Cash will be substantial.
What happens next for Tornado Cash?
As with most things in cryptocurrency, the effects of this action are likely to be felt immediately. Although Tornado Cash can still operate – it is code, after all – OFAC sanctions mean that any business that is exposed to the United States by offering services to businesses, citizens or even in US Dollars may not accept funds from Tornado Cash.
In other words, any property or interests of Tornado Cash located in the US must also be blocked and reported to OFAC.
What happens to everyone else in the meantime?
In the meantime, there will be a rush to fill the void left by Tornado Cash. Based on our observations of similar services being shut down, there are a few scenarios we expect to see in the short term:
- A proliferation of ‘fake’ services resulting in loss of user funds, taking advantage of the loss in service provided by Tornado.
- A shift in activity to cross chain bridge protocols, such as renBTC.
- Action by liquidity pool providers due to exposure to risky funds sent from Tornado Cash. (We are not sure what, if any action may take place, however, it is possible that funds sent from Tornado Cash in liquidity pools will be seized by the operators, particularly if they have a US operation.)
- Regular / Privacy seeking / Law abiding users of TC users may be locked out of regulated on/off ramps
- Potential contagion to other decentralized Apps / LPs that allow users of TC
- Potential legal risk to anyone in the Ethereum supply chain down to miners / validators / stakers.
- Poisoning addresses by using Tornado Cash to send funds to a victim, causing the target to have their account frozen – ‘TORNed’. We have already seen some evidence of this, with dust transactions sent to high profile accounts such as the CEO of Coinbase, Brian Armstrong, and US TV Host, Jimmy Fallon
I’m a crypto asset service provider, should I worry?
Crystal Blockchain platform was updated with these new addresses within 30 minutes of them being published by OFAC, meaning our customers were able to immediately adjust their risk profile and customer exposure to these now sanctioned entities. In other words, our customers are immediately able to minimize potential risk exposure.
That being said, there is a separate question of how to effect compliance in a decentralized environment; decentralized digital asset compliance analytics protocols such as Clarity Protocol (https://clarity-protocol.com/) can help solve this problem.
Wondering what to do next as a VASP to mitigate your risk levels? Get in touch for a demo on how to create risk profiles for potentially risky entities interacting with your business. Email us at [email protected] and speak with our expert team.