US Treasury Sanctions Tornado Cash, Freezes Its AssetsPenalties for Anyone in US Jurisdiction Who Uses the Cryptocurrency Mixer
U.S. citizens can no longer legally use an online service used to hide stolen cryptocurrency after the federal government today sanctioned Tornado Cash.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The Department of Treasury ordered assets of the Ethereum blockchain cryptocurrency mixer to be frozen and says civil and potentially criminal penalties await anyone under U.S. jurisdiction who uses the service.
Cybercriminals have used Tornado Cash since its founding in 2019 to launder more than $7 billion of cryptocurrency, estimates Treasury. A hefty chunk of that amount - $455 million - includes money stolen by North Korean hacking group Lazarus Group. Pyongyang's secretive, hereditary Stalinist monarchy fuels its nuclear weapons program with stolen cryptocurrency.
Today's listing of Tornado Cash comes after it "repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis," says Brian Nelson, Treasury undersecretary for terrorism and financial intelligence.
Tornado Cash has been the "go-to mixer of North Korean cybercriminals for over a year or more," says Ari Redbord, head of legal and government affairs at analytics firm TRM Labs.
The sanctions mark a second attempt by Treasury to crack down on mixers, which pool potentially tainted funds and randomly distribute them to destination wallets in a bid to make tracing stolen cryptocurrency hard or impossible. Just months ago, Treasury sanctioned mixer Blender.io for its role in laundering funds stolen by North Korea in the largest virtual currency heist to date (see: First US Sanction of a Virtual Currency Mixer: Blender.io).
North Korean hacking groups, including Lazarus Group, Bluenoroff and Andariel, have already been under U.S. sanctions since 2019. Lazarus Group is suspected as the culprit behind the recent $100 million theft from Harmony's hacked cross-chain Horizon bridge, whose proceeds ran through Tornado Cash. At least $7.8 million of proceeds from this month's theft from cross-chain exchange Nomad also went through the mixer.
The message coming out of Treasury is that mixers can't be repurposed for illicit ends, says Redbord, a former Treasury official. Legitimate uses for cryptocurrency mixers exist, particularly when transactions are recorded on a publicly accessible blockchain. But "we cannot allow these mixing services to facilitate money laundering." Mixing services must adopt controls to guard against criminal actions, he says.
Measures such as "know your customer" may not be possible on a decentralized mixing service, but services such as Tornado Cash should monitor transactions for wallets associated with illicit actors, he says.
Although sanctions from Treasury's Office of Foreign Assets Control technically only affect U.S. persons, their impact is global. Getting added to the list is a signal the United States is looking closely at transactions on the platform. "Even if you're an illicit actor, you're going to be careful of transactions with Tornado Cash," Redbord says. Run-of-the-mill cybercriminals will likely now avoid Tornado Cash, although it's an open question whether North Korea will follow suit, he adds. Lazarus Group and its ilk will probably test the waters to see what happens after attempting to use Tornado Cash to launder their next infusion of stolen cryptocurrency.