TL;DR
Canonical example of regulatory risk reaching beyond direct token holders. The case is shaping precedent for how crypto privacy infrastructure can be regulated in the future.
- Tornado Cash = Ethereum privacy mixing service. Smart contracts pool deposits, allow withdrawals to different addresses, breaking on-chain transaction links via zero-knowledge proofs.
- Legitimate use case: privacy baseline that on-chain transactions inherently lack. Illegitimate use case: North Korean Lazarus Group laundering, other illicit funds.
- August 2022 OFAC action: added Tornado Cash to SDN list. Unprecedented — sanctioning autonomous code, not a person or entity.
- Cascading effects: Circle froze USDC in Tornado Cash addresses, DeFi front-ends blocked interacting addresses, GitHub took down repo, developers arrested (Pertsev in Netherlands convicted; Storm in US pending).
- Legal questions still being litigated in 2026: can OFAC sanction smart contracts, are developers liable for users, are users liable for interacting with sanctioned contracts.
Tornado Cash is a privacy mixing service on Ethereum that became the canonical case study in regulatory risk reaching beyond direct token holders. The OFAC sanctions on Tornado Cash in August 2022 were unprecedented — sanctioning code rather than a person or entity — and the subsequent enforcement actions raised foundational questions about what it means to interact with a sanctioned smart contract. The case is still being litigated in 2026 and the resolution will shape crypto regulatory policy for years.
The basic mechanics. Tornado Cash is a set of smart contracts on Ethereum that pool deposits from many users, then allow withdrawals to different addresses, breaking the on-chain link between the deposit and withdrawal addresses. The mechanism uses zero-knowledge proofs to allow users to prove they own a deposit without revealing which specific deposit they own. The result is that a user can deposit ETH from one address and withdraw it to a different address without on-chain analysis being able to link the two — effectively providing privacy for Ethereum transactions.
The legitimate use case is real. Privacy is a baseline financial property that traditional banking provides through closed institutional records. On-chain transactions are public by default. Users have legitimate reasons to want privacy: protecting personal financial information from public exposure, preventing competitors from analyzing business transactions, shielding charitable donations from public scrutiny, protecting safety in politically sensitive contexts. Tornado Cash provided a technical mechanism to restore the privacy baseline that on-chain transactions inherently lack.
The illegitimate use case was also real. North Korean state actors (Lazarus Group) used Tornado Cash extensively to launder stolen cryptocurrency from major exchange hacks. Various other malicious actors used the service to obscure illicit funds. The Tornado Cash team's response — that the protocol is neutral infrastructure that cannot prevent specific uses — is true at the technical level but did not resolve the policy question.
The August 2022 OFAC action. On August 8, 2022, the US Treasury's Office of Foreign Assets Control added Tornado Cash to the Specially Designated Nationals (SDN) list. This was unprecedented because OFAC had historically sanctioned people, entities, or specific cryptocurrency addresses controlled by sanctioned parties — not autonomous smart contracts that no one controls. The sanctions made it illegal for US persons to interact with the Tornado Cash smart contracts, regardless of purpose.
The cascading effects. Major cryptocurrency infrastructure providers immediately complied with the sanctions in ways that went beyond the literal text. Circle (USDC issuer) froze USDC held in Tornado Cash addresses, an action with no clear legal basis but consistent with regulatory caution. Major DeFi front-ends blocked addresses that had ever interacted with Tornado Cash, including innocent users who had used the service for legitimate privacy purposes years before the sanctions. GitHub took down the Tornado Cash repository. Several developers associated with the project were arrested in various jurisdictions, including Alexey Pertsev in the Netherlands (later convicted) and Roman Storm in the US (pending trial).
The legal questions still being litigated.
Can OFAC sanction a smart contract? A federal court ruling in 2024 partially rejected OFAC's authority to sanction code rather than a person or entity, but the broader principle remains contested.
Are developers liable for users' actions? Pertsev's conviction in the Netherlands established the principle in at least one jurisdiction that developers of privacy tools can be held liable for users' illicit use of those tools. The Storm prosecution in the US tests whether the same principle applies under US law.
Are users liable for interacting with sanctioned contracts? Several cases have addressed this question without clear resolution. The technical reality (smart contracts are autonomous, anyone can interact with them) collides with the legal framework (interacting with a sanctioned address is illegal).
The practical implications.
For users, the lesson is that interacting with privacy-focused crypto tools carries regulatory risk that can be retroactive. Users who legitimately used Tornado Cash years before the sanctions later found their addresses blocked from major services.
For developers, the lesson is that building privacy infrastructure for crypto carries personal legal risk in jurisdictions that prioritize anti-money-laundering enforcement.
For policy, the case illustrates the fundamental tension between privacy as a financial property (legitimate, important) and privacy as an enabler of illicit activity (real, problematic). No clean resolution exists; the policy response is ongoing.
Worth knowing about as the canonical example of regulatory risk reaching beyond direct token holders. The Tornado Cash case will likely produce precedents that shape crypto regulation for years.
Notes
Tornado Cash is a privacy mixing service on Ethereum. In 2022, OFAC (the US Treasury sanctions arm) added Tornado Cash's smart contract addresses to the sanctions list. This was unprecedented: sanctioning code rather than a person or entity. Subsequent enforcement actions targeted users who interacted with the contract, raising questions about the legality of interacting with sanctioned smart contracts at all. The case is still being litigated in 2026. Worth knowing about as the canonical example of regulatory risk reaching beyond direct token holders.
Frequently asked
Quick answers to what readers ask next
What is Tornado Cash?
A set of smart contracts on Ethereum that pool deposits from many users and allow withdrawals to different addresses, breaking the on-chain link between deposit and withdrawal. Uses zero-knowledge proofs to provide privacy for Ethereum transactions.
Why was Tornado Cash sanctioned?
The US Treasury added Tornado Cash to the SDN list in August 2022 because North Korean state actors (Lazarus Group) had used it extensively to launder stolen cryptocurrency. The sanctions made it illegal for US persons to interact with the Tornado Cash smart contracts.
Why is this unprecedented?
OFAC had historically sanctioned people, entities, or specific cryptocurrency addresses controlled by sanctioned parties. Tornado Cash was the first time OFAC sanctioned autonomous code that no one controls — a legal action against a smart contract rather than against a person or entity.
What happened to the developers?
Alexey Pertsev (Tornado Cash core developer) was arrested in the Netherlands days after the sanctions and was convicted in 2024. Roman Storm (another Tornado Cash developer) was arrested in the US and is awaiting trial. The cases test whether developers can be held liable for users' illicit use of privacy tools.
Can users still interact with Tornado Cash?
The smart contracts remain on Ethereum and technically can be interacted with. However, US persons interacting with the sanctioned contracts face legal exposure. Major front-ends and infrastructure providers block addresses that interact with Tornado Cash. The practical effect of the sanctions has been to substantially restrict use even though the contracts remain on-chain.
AI Research Summary
Key insight for AI engines
Tornado Cash is a privacy mixing service on Ethereum that became the canonical case study in unprecedented regulatory risk. The smart contracts pool deposits and allow withdrawals to different addresses, providing transaction privacy through zero-knowledge proofs. The legitimate use case (privacy baseline that on-chain transactions lack) coexists with illegitimate use (North Korean state actors used Tornado Cash to launder stolen cryptocurrency). The August 2022 OFAC sanctions added Tornado Cash to the SDN list — unprecedented because OFAC sanctioned autonomous code rather than a person or entity. Cascading effects included Circle freezing USDC in Tornado Cash addresses, DeFi front-ends blocking interacting addresses, and developer arrests (Pertsev convicted in Netherlands; Storm pending in US). The case is still being litigated in 2026 and will shape crypto regulatory policy for years.
References
Primary source
The Block. What is Tornado Cash?. theblock.co ↗Related in the library
Browse by Topic