What Tornado Cash Actually Did
Tornado Cash wasn’t a company. It wasn’t even a website you could shut down. It was code-smart contracts running on the Ethereum blockchain, doing one thing: making crypto transactions untraceable. Users deposited ETH or other tokens into a pool, and later withdrew the same amount from a different address. No names. No IDs. No records. The system used zero-knowledge proofs to prove you owned the funds without revealing where they came from. It supported deposits of 0.1, 1, 10, and 100 ETH. That’s it.
There was no CEO. No customer service. No headquarters. Just open-source software anyone could run. Even after the U.S. government tried to ban it, the code kept working. The blockchain doesn’t care about court orders.
Why the U.S. Government Targeted It
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) didn’t go after Tornado Cash because it was popular. They went after it because criminals used it-constantly. Between 2019 and 2022, over $7 billion flowed through the mixer. Of that, $455 million was traced back to North Korea’s Lazarus Group, a state-backed hacking team sanctioned by the U.S. since 2019.
Specific heists tied to Tornado Cash included the $96 million stolen from the Harmony Bridge in June 2022 and the $7.8 million taken from Nomad in August 2022. The Treasury said Tornado Cash didn’t do enough to stop this. No KYC. No transaction monitoring. No filters. Just pure, unfiltered privacy.
On August 8, 2022, OFAC added Tornado Cash to its Specially Designated Nationals (SDN) list. This wasn’t just a warning. It was a legal freeze. U.S. citizens and companies were banned from interacting with it. Any U.S.-based exchange that processed a transaction to a Tornado Cash address risked fines or criminal charges.
The Legal Shockwave
Sanctioning a piece of software was unheard of. Before Tornado Cash, OFAC targeted people, banks, and companies-entities with physical addresses and legal names. But Tornado Cash had none of that. It was a set of immutable smart contracts. Once deployed, no one could change it. Not even its creators.
Legal experts were split. Some called it a necessary step to stop terrorist financing. Others said it was a constitutional overreach. If the government can sanction code, what stops them from banning encryption, open-source tools, or even blockchain itself? The American Civil Liberties Union and several crypto advocacy groups filed lawsuits, arguing that OFAC had no legal authority to regulate software that operates without human control.
The case went to trial in 2025. Roman Storm, one of Tornado Cash’s co-founders, was charged with conspiracy to operate an unlicensed money transmitter and conspiracy to violate sanctions. After a four-week trial, the jury convicted him on one charge but couldn’t agree on the others. The verdict sent a clear message: developers might be held responsible if their tools are widely used for crime-but proving intent is still hard.
What Happened After the Sanctions
Right after the sanctions, U.S. exchanges like Coinbase and Kraken blocked all transactions linked to Tornado Cash addresses. Wallets that had ever interacted with the mixer were flagged. Some users lost access to their funds accidentally. One person in Texas had $12,000 in ETH frozen because their wallet had once sent a tiny amount to a Tornado Cash deposit address-years earlier.
Compliance teams scrambled. Now, every crypto transaction had to be screened against hundreds of thousands of blockchain addresses. That’s expensive. And error-prone. One mistake could mean a $10 million fine.
Meanwhile, Tornado Cash kept running. People outside the U.S. still used it. Hackers kept laundering money. A Chainalysis report in late 2024 showed that 87% of stolen funds from DeFi exploits still went through mixers-Tornado Cash included. The sanctions didn’t stop the bad actors. They just made life harder for normal users.
The March 2025 Twist
On March 21, 2025, reports surfaced that OFAC had lifted the sanctions on Tornado Cash. The TORN token, which had crashed to $2 after the 2022 ban, jumped to $15 in a single day. But here’s the catch: the lifting wasn’t official. No press release. No updated SDN list. Just rumors and market reactions.
By late 2025, OFAC had not formally removed Tornado Cash from the sanctions list. The legal status remains murky. The U.S. government hasn’t reversed its position, but enforcement has become inconsistent. Some U.S.-based DeFi protocols now allow users to interact with Tornado Cash through privacy layers that obscure the destination address. It’s a gray zone.
What This Means for Crypto Privacy
Tornado Cash wasn’t just a mixer. It was a test case for whether privacy is a right or a red flag in crypto.
Privacy advocates argue that everyone deserves financial anonymity-not just criminals. Think of cash. You don’t need to explain why you bought groceries with $100 bills. Why should crypto be different? Many law-abiding users use mixers to avoid being tracked by advertisers, stalkers, or overzealous tax authorities.
But regulators say that if a tool is used mostly for crime, it’s not a privacy tool-it’s a criminal tool. The line is blurry. A mixer used once to protect your identity is different from one used to clean $50 million stolen from a DeFi protocol.
The Tornado Cash case forced the industry to ask: Can we build privacy tools that are both effective and compliant? Some developers are now working on “compliant mixers” that allow regulators to audit transactions without breaking anonymity. Others are moving to non-Ethereum chains or building tools that don’t require on-chain interaction at all.
Where Do We Go From Here?
The Tornado Cash case didn’t end with a verdict or a policy change. It ended with a question: How do you regulate something that can’t be turned off?
For now, the U.S. is taking a hardline approach. Other countries are watching. The EU is debating similar restrictions. Singapore and Switzerland are taking a more cautious stance, focusing on exchanges rather than protocols.
Developers are learning. New privacy tools are being built with compliance in mind. Some use off-chain verification. Others allow users to self-certify their transactions as non-criminal. But none of these are perfect.
One thing is clear: if you’re building software that handles money, you’re no longer just a coder. You’re a financial regulator by proxy. And the rules are still being written.
