On August 8, 2022, the U.S. government did something no one had ever done before: it sanctioned a piece of software. Not a company. Not a person. Not a bank. But a decentralized, open-source tool called Tornado Cash a non-custodial Ethereum-based cryptocurrency mixer that uses zero-knowledge proofs to obscure transaction histories. This wasn’t just a regulatory move-it was a legal earthquake.

What Tornado Cash Actually Did

Tornado Cash wasn’t a company with offices, employees, or CEOs. It was code-smart contracts deployed on the Ethereum blockchain. Launched in 2019, it let users deposit ETH (or other tokens) into anonymity pools and later withdraw the same amount from a different address. The system broke the link between sender and receiver, making transactions untraceable. It supported deposits in 0.1 ETH, 1 ETH, 10 ETH, and 100 ETH chunks. No sign-up. No ID. No KYC. Just pure privacy.

How? Through zero-knowledge proofs a cryptographic method that proves a transaction is valid without revealing any details about it. Think of it like putting cash into a vending machine that gives you a ticket. You later hand that ticket to another machine and get cash out-but no one knows which ticket you used or where the original cash came from.

It wasn’t designed to help criminals. It was built for anyone who wanted financial privacy-journalists in repressive regimes, activists, or even ordinary users who didn’t want their spending habits tracked. But that same privacy made it irresistible to bad actors.

Why OFAC Targeted It

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) didn’t act on a hunch. They had hard numbers. According to their report, Tornado Cash processed over $7 billion in transactions since launch. Of that, at least $455 million was linked to the Lazarus Group a North Korean state-sponsored hacking team sanctioned by the U.S. since 2019.

Specific heists tied to Tornado Cash:

• $96 million stolen from the Harmony Bridge hack in June 2022
• $7.8 million from the Nomad Bridge exploit in August 2022
• Multiple smaller transfers linked to ransomware and darknet market payouts

OFAC’s argument? Tornado Cash didn’t just passively allow misuse-it enabled it at scale. Brian E. Nelson, Under Secretary of the Treasury, said: "Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis."

The sanctions froze any Tornado Cash assets under U.S. jurisdiction and banned all U.S. persons-individuals, companies, exchanges-from interacting with it. Even accessing the website or using the smart contract became a legal risk.

The Legal Firestorm

Sanctioning software? That’s where things got messy.

Legal experts were split. Some called it a necessary step. Others called it unconstitutional. The core issue? Smart contracts self-executing code on blockchains that operate without human intervention once deployed can’t be shut down. They run forever. So how can you sanction something that can’t be turned off?

Then came the trial of Roman Storm, one of Tornado Cash’s co-founders. In August 2025, after a four-week trial in New York, the jury convicted him of conspiracy to operate an unlicensed money transmitting business-but deadlocked on the more serious charges of money laundering and violating sanctions. That split verdict sent a clear signal: courts are struggling to apply old laws to new tech.

Lawyers for Storm argued: "You can’t hold a developer criminally liable for how strangers use their open-source code." Prosecutors countered: "He knew it was being used for crime and did nothing to stop it." The jury didn’t fully agree with either side.

What Happened After the Sanctions

Here’s the twist: the sanctions didn’t stop Tornado Cash from working. The smart contracts kept running. Users still deposited and withdrew ETH. Exchanges like Coinbase and Kraken blocked transactions to known Tornado Cash addresses, but anyone using a non-U.S. wallet or a decentralized exchange could still use it.

Even more surprising: researchers found that cybercriminals kept using Tornado Cash after the sanctions. One analysis showed no drop in usage by malicious actors. Why? Because the protocol was built to be censorship-resistant. No central server. No admin keys. No kill switch.

The real impact? It scared off legitimate users. Privacy-focused projects got nervous. Developers started asking: "If I build something that can be misused, could I go to jail?"

The Ripple Effect

Tornado Cash became a template. After its sanctions, OFAC added Blender.io another crypto mixer that was sanctioned in May 2022 to its list. Other countries watched. Some followed suit. Others hesitated.

Meanwhile, the crypto world scrambled. New privacy tools emerged-not just to avoid detection, but to comply. Protocols started building in "compliance layers": optional KYC checks, transaction limits, or reporting flags. But purists argued: if you add KYC, you’re not a mixer anymore-you’re a bank.

And then, on March 21, 2025, something unexpected happened. Reports surfaced that OFAC had lifted sanctions on Tornado Cash. The TORN token the native governance token of Tornado Cash jumped from $8 to $15 in a single day. Markets cheered. But the legal status? Still murky.

Why? Because the criminal case against Storm wasn’t resolved. The lawsuits challenging OFAC’s authority were still active. And the smart contracts? Still live on Ethereum.

What This Means for You

If you’re a regular crypto user: you probably won’t touch Tornado Cash. Most exchanges block it. And honestly, if you’re not laundering money, why risk it?

If you’re a developer: this case is a warning. Building privacy tools isn’t illegal-but if they’re used heavily for crime, you could become a target. The line between innovation and liability is thinner than ever.

If you’re in finance or compliance: you now have to screen for code. Not just addresses. Not just wallets. But entire smart contracts. That’s a new kind of risk.

And if you care about privacy: this is a turning point. The government just said: "We can sanction tools that protect your financial data." That’s not just about crypto. It’s about control.

Where Do We Go From Here?

The Tornado Cash case didn’t end with a verdict. It opened a door. Regulators now have a playbook: sanction the tool, not the person. But courts are still figuring out if that’s legal.

Future fights will focus on:

• Can the government regulate code as if it were a person?
• Do developers have a duty to prevent misuse of open-source software?
• Is financial privacy a right-or a red flag?

One thing’s certain: crypto won’t be the same. The days of "code is law" are over. Now, the law is trying to write code.