US sanctions virtual currency mixer Tornado Cash for alleged use in money laundering

The U.S. Treasury Department on Monday imposed sanctions on crypto-mixing service Tornado Cash, citing its use by the North Korean-backed Lazarus Group in the high-profile hacks of Ethereum bridges to launder and disburse the ill-gotten gains.

Tornado Cash, which allows users to move cryptocurrency assets between accounts by obfuscating their origin and destination, has been estimated to have been used to fund more than $7.6 billion worth of virtual assets since its inception in 2019 wash, the department said.

According to blockchain analytics firm Elliptic, theft, hacks, and fraud account for $1.54 billion of the total assets sent through the blender.

Crypto shuffling is similar to digital currency shuffling through a black box, where a specified amount of digital funds are shuffled in private pools before being transferred to their intended recipients for a fee. The aim is to make transactions anonymous and difficult to trace.

Internet security

“Despite public assurances of a different nature, Tornado Cash has repeatedly failed to put in place effective controls to prevent it from routinely laundering funds for malicious cyber actors and has taken no basic steps to manage its risks,” Brian E. Nelson, Undersecretary of State Treasury Department for Terrorism and Financial Intelligence said.

The development comes as North Korea’s Lazarus Group (aka Hidden Cobra) has been linked to using the decentralized crypto mixer to channel proceeds from a series of major hacks targeting virtual currency services, including recently that of Axie Infinity and Harmony Horizon Bridge months.

The theft of $624 million worth of Ethereum from Axie Infinity’s Ronin network bridge is the largest known cryptocurrency heist to date, with last week’s $190 million Nomad Bridge hack taking fifth place. The theft of the Horizon Bridge comes in at 11am.

Specifically, the Treasury Department pointed to Tornado Cash’s role in laundering over $455 million and $96 million worth of cryptocurrencies stolen in the two heists. It has also been implicated in facilitating the theft of at least $7.8 million following the Nomad Bridge attack.

“Tornado receives a multitude of transactions and blends them together before transmitting them to their individual recipients,” the agency said. “While the ostensible purpose is to increase privacy, blenders like Tornado are often used by illegal actors to launder funds, particularly those stolen from significant heists.”

Also sanctioned by the department are 38 Ethereum-based addresses holding Ether (ETH) and USD Coin (USDC) linked to it, effectively banning US companies from trading with these wallets.

“As an intelligent, contract-based mixer, Tornado Cash is one of the most advanced methods available for laundering illicit cryptocurrency, and cutting it off from compliant cryptocurrency companies is a major blow to criminals looking to make money,” Chainalysis said.

Internet security

The move makes Tornado Cash the second cryptocurrency blender to be blacklisted by the Office of Foreign Assets Control (OFAC) after Blender.io was named in May 2022, also for its role in laundering illicit funds raised by the Lazarus Group and cybercrime cartels such as TrickBot, Conti, Ryuk and Gandcrab were skimmed.

It is also the latest escalation in a series of enforcement actions aimed at tackling cryptocurrency-based crime, after the Treasury imposed similar sanctions on virtual currency exchanges SUEX, CHATEX and Garantex last year.

North Korea is among the top state-sponsored countries, and its history of financially motivated attacks demonstrates the success it has had in using cybercrime to fund its activities to circumvent strict international sanctions.

The crackdown is therefore also aimed at preventing the Hermit Kingdom from converting illicit cryptocurrencies into more usable traditional currencies to fund nuclear development and achieve its national goals.

“The Tornado Cash community is trying its best to ensure that good players can use it, for example by providing compliance tools,” said Roman Semenov, one of the co-founders of Tornado Cash, said in a tweet. “Unfortunately, it’s technically impossible to prevent someone from using the smart contract on the blockchain.”

The sanctions appear to have further implications as Semenov’s GitHub account was suspended following the announcement. “Is writing a (sic) open-source code illegal now?”, he tweeted.

Leave a Comment