US Sanctions on Crypto Mixers: The Tornado Cash Case Explained

On August 8, 2022, the U.S. government did something no one had ever done before: it sanctioned a piece of software. Not a company. Not a person. Not a bank. But a decentralized, open-source tool called Tornado Cash a non-custodial Ethereum-based cryptocurrency mixer that uses zero-knowledge proofs to obscure transaction histories. This wasn’t just a regulatory move-it was a legal earthquake.

What Tornado Cash Actually Did

Tornado Cash wasn’t a company with offices, employees, or CEOs. It was code-smart contracts deployed on the Ethereum blockchain. Launched in 2019, it let users deposit ETH (or other tokens) into anonymity pools and later withdraw the same amount from a different address. The system broke the link between sender and receiver, making transactions untraceable. It supported deposits in 0.1 ETH, 1 ETH, 10 ETH, and 100 ETH chunks. No sign-up. No ID. No KYC. Just pure privacy.

How? Through zero-knowledge proofs a cryptographic method that proves a transaction is valid without revealing any details about it. Think of it like putting cash into a vending machine that gives you a ticket. You later hand that ticket to another machine and get cash out-but no one knows which ticket you used or where the original cash came from.

It wasn’t designed to help criminals. It was built for anyone who wanted financial privacy-journalists in repressive regimes, activists, or even ordinary users who didn’t want their spending habits tracked. But that same privacy made it irresistible to bad actors.

Why OFAC Targeted It

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) didn’t act on a hunch. They had hard numbers. According to their report, Tornado Cash processed over $7 billion in transactions since launch. Of that, at least $455 million was linked to the Lazarus Group a North Korean state-sponsored hacking team sanctioned by the U.S. since 2019.

Specific heists tied to Tornado Cash:

$96 million stolen from the Harmony Bridge hack in June 2022
$7.8 million from the Nomad Bridge exploit in August 2022
Multiple smaller transfers linked to ransomware and darknet market payouts

OFAC’s argument? Tornado Cash didn’t just passively allow misuse-it enabled it at scale. Brian E. Nelson, Under Secretary of the Treasury, said: "Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis."

The sanctions froze any Tornado Cash assets under U.S. jurisdiction and banned all U.S. persons-individuals, companies, exchanges-from interacting with it. Even accessing the website or using the smart contract became a legal risk.

The Legal Firestorm

Sanctioning software? That’s where things got messy.

Legal experts were split. Some called it a necessary step. Others called it unconstitutional. The core issue? Smart contracts self-executing code on blockchains that operate without human intervention once deployed can’t be shut down. They run forever. So how can you sanction something that can’t be turned off?

Then came the trial of Roman Storm, one of Tornado Cash’s co-founders. In August 2025, after a four-week trial in New York, the jury convicted him of conspiracy to operate an unlicensed money transmitting business-but deadlocked on the more serious charges of money laundering and violating sanctions. That split verdict sent a clear signal: courts are struggling to apply old laws to new tech.

Lawyers for Storm argued: "You can’t hold a developer criminally liable for how strangers use their open-source code." Prosecutors countered: "He knew it was being used for crime and did nothing to stop it." The jury didn’t fully agree with either side.

A courtroom with a floating smart contract as the central figure, flanked by legal arguments for privacy and enforcement.

What Happened After the Sanctions

Here’s the twist: the sanctions didn’t stop Tornado Cash from working. The smart contracts kept running. Users still deposited and withdrew ETH. Exchanges like Coinbase and Kraken blocked transactions to known Tornado Cash addresses, but anyone using a non-U.S. wallet or a decentralized exchange could still use it.

Even more surprising: researchers found that cybercriminals kept using Tornado Cash after the sanctions. One analysis showed no drop in usage by malicious actors. Why? Because the protocol was built to be censorship-resistant. No central server. No admin keys. No kill switch.

The real impact? It scared off legitimate users. Privacy-focused projects got nervous. Developers started asking: "If I build something that can be misused, could I go to jail?"

The Ripple Effect

Tornado Cash became a template. After its sanctions, OFAC added Blender.io another crypto mixer that was sanctioned in May 2022 to its list. Other countries watched. Some followed suit. Others hesitated.

Meanwhile, the crypto world scrambled. New privacy tools emerged-not just to avoid detection, but to comply. Protocols started building in "compliance layers": optional KYC checks, transaction limits, or reporting flags. But purists argued: if you add KYC, you’re not a mixer anymore-you’re a bank.

And then, on March 21, 2025, something unexpected happened. Reports surfaced that OFAC had lifted sanctions on Tornado Cash. The TORN token the native governance token of Tornado Cash jumped from $8 to $15 in a single day. Markets cheered. But the legal status? Still murky.

Why? Because the criminal case against Storm wasn’t resolved. The lawsuits challenging OFAC’s authority were still active. And the smart contracts? Still live on Ethereum.

A global network map showing Tornado Cash still active despite U.S. sanctions, with darkened nodes in America.

What This Means for You

If you’re a regular crypto user: you probably won’t touch Tornado Cash. Most exchanges block it. And honestly, if you’re not laundering money, why risk it?

If you’re a developer: this case is a warning. Building privacy tools isn’t illegal-but if they’re used heavily for crime, you could become a target. The line between innovation and liability is thinner than ever.

If you’re in finance or compliance: you now have to screen for code. Not just addresses. Not just wallets. But entire smart contracts. That’s a new kind of risk.

And if you care about privacy: this is a turning point. The government just said: "We can sanction tools that protect your financial data." That’s not just about crypto. It’s about control.

Where Do We Go From Here?

The Tornado Cash case didn’t end with a verdict. It opened a door. Regulators now have a playbook: sanction the tool, not the person. But courts are still figuring out if that’s legal.

Future fights will focus on:

Can the government regulate code as if it were a person?
Do developers have a duty to prevent misuse of open-source software?
Is financial privacy a right-or a red flag?

One thing’s certain: crypto won’t be the same. The days of "code is law" are over. Now, the law is trying to write code.

Was Tornado Cash shut down after the sanctions?

No. Tornado Cash’s smart contracts are on the Ethereum blockchain, which is decentralized and immutable. No one-not even the U.S. government-can shut them down. The sanctions made it illegal for U.S. persons to interact with them, but the code still runs. Transactions continue to occur.

Can I still use Tornado Cash legally?

If you’re a U.S. person (citizen, resident, or company), using Tornado Cash is illegal under OFAC sanctions. Even accessing the website or interacting with its smart contracts could lead to civil or criminal penalties. Non-U.S. users may still use it, but many exchanges block Tornado Cash addresses globally to avoid compliance risks.

Why was Roman Storm only convicted on one charge?

The jury found enough evidence that Storm helped run an unlicensed money transmitting business, but couldn’t agree on whether he knowingly facilitated money laundering or sanctions violations. This reflects how hard it is to prove intent when software operates autonomously. The verdict set a precedent: developers can be held liable for operational roles, but not necessarily for how others misuse their code.

Did the lifting of sanctions in March 2025 mean Tornado Cash is legal again?

There’s no official confirmation from OFAC that sanctions were lifted. The price surge of the TORN token suggests market speculation, but the legal status remains unchanged. The U.S. government has not reversed its position publicly. Until an official statement is issued, Tornado Cash remains on the SDN list.

Are other crypto mixers at risk of being sanctioned?

Yes. After Tornado Cash, OFAC sanctioned Blender.io and has signaled it will continue targeting mixers used by sanctioned entities. Any mixer that processes large volumes of stolen or illicit funds without anti-money laundering controls is at risk. The precedent is now clear: if a tool is used heavily for crime, regulators will act-even if it’s decentralized.

24 Comments

Katrina Smith
March 21, 2026 AT 15:36

lol so now the government can jail you for making a vending machine that accepts cash? 🤡
Gene Inoue
March 23, 2026 AT 05:36

This is what happens when you let anarchists write code and then act shocked when criminals use it. Tornado Cash wasn't a privacy tool - it was a laundering factory with a frontend. Stop pretending it was for journalists.
Lauren J. Walter
March 23, 2026 AT 11:25

I'm just here waiting for the day they sanction a compiler because someone used it to make ransomware. 🥱
john peter
March 23, 2026 AT 13:28

The fundamental error in this entire narrative is the conflation of technological neutrality with moral responsibility. Code is not neutral. It embodies intent. The architects of Tornado Cash knew its primary use case. They optimized for obfuscation, not utility. This is not a free speech issue - it is a failure of ethical engineering.
Jerry Panson
March 25, 2026 AT 09:21

While I understand the regulatory impulse, sanctioning open-source software sets a dangerous precedent. If we begin treating immutable code as a person subject to jurisdiction, we risk undermining the entire legal architecture of digital innovation. Perhaps better solutions lie in transaction monitoring, not blanket prohibition.
Ricky Fairlamb
March 26, 2026 AT 20:57

Of course they didn’t shut it down. The blockchain doesn’t care about your sanctions. But that’s the point - this isn’t about enforcement. It’s about signaling. The U.S. is saying: "We own the financial system, and if you build something outside it, you’re not a developer. You’re a target."
Carol Lueneburg
March 28, 2026 AT 18:48

I just want to say - to every dev out there building privacy tools: you’re not alone. 🫂 This is scary, but we need more of you, not less. Privacy isn’t a crime. It’s a human right. Keep building. We’ve got your back.
Marie Vernon
March 30, 2026 AT 02:57

Honestly, I think the real tragedy here is how this scared away legitimate users. People who just wanted to hide their salary from their spouse or avoid corporate tracking now think every privacy tool is a magnet for federal agents. That’s a loss for everyone.
Ross McLeod
March 30, 2026 AT 18:50

The irony is that OFAC’s move has only made Tornado Cash more attractive to threat actors. When a tool becomes forbidden, it gains mystique. Criminals don’t care about legality - they care about effectiveness. And Tornado Cash remains the most effective mixer on the market. Sanctioning it didn’t reduce crime - it made it more exclusive.
rajan gupta
March 31, 2026 AT 06:26

So let me get this straight - if I build a calculator and someone uses it to calculate how much money to steal from a bank, am I guilty? 😐 This is absurd. The law needs to evolve or it will become a joke.
Billy Karna
April 1, 2026 AT 01:46

There’s a technical detail everyone’s ignoring: Tornado Cash’s smart contracts were designed with a gas fee mechanism that made small deposits economically unviable for laundering. The real volume came from large, automated transfers - not individual users. The problem wasn’t the tool, it was the scale of illicit flows. A better approach would’ve been to target the laundering patterns, not the tool. This is like banning knives because someone used one to commit a crime.
Cheri Farnsworth
April 2, 2026 AT 07:51

The legal precedent here is fragile. If developers can be held liable for how strangers use their code, innovation will freeze. We are entering a new era where liability is not tied to control - but to perception. That’s not justice. It’s fear-based governance.
Arlene Miles
April 3, 2026 AT 15:40

Let’s not pretend this was about crime. This was about control. The government doesn’t want you to have financial privacy. Not because it’s dangerous - because it’s inconvenient. If everyone could hide their money, how would they tax it? How would they track it? How would they control it? This isn’t a war on crime. It’s a war on autonomy.
Jessica Beadle
April 3, 2026 AT 22:03

The TORN token surge was pure speculation. There has been zero official revocation of sanctions. OFAC’s SDN list remains unchanged. Anyone claiming otherwise is either misinformed or deliberately spreading FUD. The legal status remains: prohibited for U.S. persons. Period.
Tony Weaver
April 4, 2026 AT 01:54

This is why I hate crypto. Everyone acts like it’s this utopian freedom revolution - until someone actually uses it to do something illegal. Then it’s "oh no, we must shut it down." The hypocrisy is breathtaking. You want freedom? Then accept that freedom includes people using your tools for bad things.
Patty Atima
April 4, 2026 AT 05:14

Honestly? I’m just glad I never used it. 😅
Lucy de Gruchy
April 4, 2026 AT 17:34

Let’s be real - this was always about North Korea. The $455M figure was cherry-picked. Tornado Cash processed $7B. That means 93% of transactions were clean. But you don’t sanction a tool for 7% misuse - you sanction it because the target is a geopolitical enemy. This isn’t law. It’s economic warfare dressed up as regulation.
Ernestine La Baronne Orange
April 4, 2026 AT 19:22

I can’t believe people are still defending this! Do you know how many ransomware gangs used this? Do you know how many children’s hospitals got hacked because of this? You’re not protecting privacy - you’re protecting monsters. And if you think this is about "code is law," then you’ve never read a single law book in your life.
Manali Sovani
April 6, 2026 AT 05:40

In India, we understand that technology must serve society. If a tool enables harm at scale, it must be regulated. This is not censorship. It is responsibility. The West confuses freedom with lawlessness. We do not.
Konakuze Christopher
April 7, 2026 AT 05:27

They’re coming for the next tool. Next up: Tor. Then Bitcoin. Then encryption. Mark my words.
Taylor Holloman.
April 8, 2026 AT 11:40

I think what’s really happening here is that we’re seeing the death of the idea that software can be neutral. We used to believe that if you built something good, people could use it for good. Now? The moment someone abuses it, the whole thing gets painted as evil. It’s sad. And it’s going to make people stop building things that help.
Bryan Roth
April 9, 2026 AT 20:03

To everyone scared of building privacy tools: don’t be. The fight for financial sovereignty isn’t over. It’s just getting harder. And harder fights mean more people showing up. We’ve seen this before - with open-source, with encryption, with P2P. They try to kill it. We rebuild it. And we build it better.
sai nikhil
April 11, 2026 AT 16:36

I believe in innovation but also in accountability. The solution is not to ban tools, but to build better oversight mechanisms. Maybe integrate zero-knowledge compliance layers - where users can prove legitimacy without revealing data. This is the future - not destruction, but evolution.
Anastasia Danavath
April 12, 2026 AT 08:50

so like... if i make a website that lets people send letters... and someone uses it to send a death threat... am i going to jail? 🤔