The U.S. government’s sanctioning of Tornado Cash in 2022 didn’t just target a crypto tool - it rewrote the rules of what’s possible in blockchain regulation. For the first time ever, a piece of open-source software was added to the Treasury Department’s Specially Designated Nationals (SDN) list. Not a company. Not a person. A smart contract. And it’s still running.
What Tornado Cash Actually Did
Tornado Cash wasn’t a bank. It wasn’t even a website you logged into. It was a set of self-executing code on the Ethereum blockchain, launched in 2019. Its job? To break the link between where crypto came from and where it went. Users deposited ETH - in amounts like 0.1, 1, 10, or 100 ETH - into a shared pool. Later, they withdrew the same amount from a different address. Because every deposit got mixed with dozens of others, blockchain explorers couldn’t trace the original source. It wasn’t magic. It was math. Specifically, zero-knowledge proofs - a cryptographic method that proves you’re allowed to withdraw without revealing which deposit you made. This wasn’t designed for criminals. It was built for people who didn’t want their financial history on public display. Think activists in authoritarian countries, whistleblowers, or just privacy-conscious users. But because it worked so well, it also became the go-to tool for laundering stolen funds.The Breaking Point: North Korea and $455 Million
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) didn’t act out of paranoia. They had hard numbers. Between 2019 and 2022, Tornado Cash processed over $7 billion in transactions. Of that, more than $455 million came from hacks tied to North Korea’s Lazarus Group - a state-backed cyber unit already under U.S. sanctions since 2019. Key incidents pushed OFAC to act:- $96 million from the Harmony Bridge hack in June 2022
- $7.8 million from the Nomad Bridge breach in August 2022
Sanctioning Code: A Legal First
On August 8, 2022, OFAC added Tornado Cash’s Ethereum addresses to the SDN list. U.S. persons - that means citizens, companies, and anyone in the U.S. - were now forbidden from interacting with it. Even opening a wallet that had ever sent funds to Tornado Cash could trigger a violation. Exchanges like Coinbase and Kraken scrambled to block transactions. Wallets began flagging addresses. Some users got locked out of their own funds. The real shock? Tornado Cash didn’t shut down. The smart contracts kept running. The code was immutable. No one could turn it off. The sanctions didn’t kill the tool - they just made it dangerous to use. And criminals? They kept using it anyway.
The Trial of Roman Storm
Roman Storm, one of Tornado Cash’s co-founders, was arrested in 2023 and stood trial in New York. Prosecutors argued he knowingly created a tool for money laundering. His defense? He built a privacy tool, like encryption. You don’t jail the creator of a password manager because a hacker used it. The verdict in August 2025 split the difference. The jury convicted Storm on one count: conspiracy to operate an unlicensed money transmitting business. But they deadlocked on the bigger charges - money laundering and violating sanctions. That’s huge. It means the system still can’t agree on whether code creators are responsible for how strangers use their work.What Happened After the Sanctions
You’d think the sanctions crushed Tornado Cash. But data shows otherwise. A 2025 Chainalysis report found that laundering activity through Tornado Cash didn’t drop after the ban. It dipped briefly, then rebounded. Why? Because the protocol is decentralized. No servers. No employees. No CEO to arrest. The code lives on. Even more surprising: on March 21, 2025, reports surfaced that OFAC had lifted sanctions on Tornado Cash. The TORN token, the platform’s governance token, jumped from $8 to $15 overnight. But here’s the catch - no official announcement came from the Treasury. No press release. No legal clarification. The market reacted to rumors, not policy.
Who’s Really Affected?
The fallout hit ordinary users hardest. People who used Tornado Cash to protect their privacy - not to hide crime - suddenly found their wallets flagged. Some lost access to funds. Others got blocked from using DeFi platforms. Financial institutions now spend millions scanning for Tornado Cash addresses. It’s a compliance nightmare. Developers are scared, too. If you build a privacy tool, even one with legitimate uses, could you be next? Projects like Aztec, Semaphore, and others are now adding compliance layers - not because they want to, but because they have to.The Bigger Picture
Tornado Cash didn’t just test the law - it broke it open. Regulators now face a question they never expected: Can you sanction code? If yes, where do you draw the line? Should you sanction:- A Bitcoin wallet app that doesn’t require ID?
- A decentralized exchange that lets anyone trade without KYC?
- A blockchain protocol that allows anonymous voting?
What’s Next?
Legal challenges are still active. Lawsuits are pending in multiple federal courts, arguing that OFAC overstepped its authority. Meanwhile, new privacy protocols are emerging - ones designed to be even harder to regulate. Some are built on non-Ethereum chains. Others use novel cryptographic techniques that don’t rely on public pools at all. One thing’s certain: the era of unregulated crypto privacy is over. But the era of blanket bans on tools that have legitimate uses? That’s still being fought in courtrooms, on blockchains, and in the minds of developers around the world.Is it still illegal to use Tornado Cash in the U.S.?
The official U.S. sanctions on Tornado Cash were lifted in March 2025, but there was no public announcement from OFAC. As a result, many exchanges and wallet providers continue to block Tornado Cash addresses out of caution. Legally, the status is unclear. Until the Treasury provides formal guidance, using Tornado Cash carries risk - even if the sanctions are technically gone.
Why didn’t the sanctions shut down Tornado Cash?
Tornado Cash runs on Ethereum smart contracts - self-executing code that lives on the blockchain. Unlike a company or server, there’s no central team to shut down. No one owns the code. No one controls it. Once deployed, it runs automatically. Sanctions can block people from using it, but they can’t delete code from the blockchain.
Can crypto developers be held criminally liable for how their software is used?
The Roman Storm trial showed it’s possible - but not guaranteed. He was convicted on one charge related to unlicensed money transmission, but not on the more serious money laundering charges. Courts are still figuring out the line between building a tool and enabling crime. The precedent is weak, but the threat is real. Developers now face legal risk even if their software has legitimate uses.
Are there alternatives to Tornado Cash today?
Yes. Protocols like Aztec Connect, Tornado Cash forks with compliance features, and newer zero-knowledge systems on Solana and Polygon are emerging. Many now include optional KYC layers or use cross-chain mixing to avoid U.S. jurisdiction. But none have the same scale or trust as Tornado Cash did before the sanctions.
Did the sanctions reduce crypto crime?
No. According to blockchain analytics firms, laundering activity through Tornado Cash dipped briefly after the sanctions, then returned to pre-sanction levels. Criminals simply shifted to other mixers or used more complex techniques. The sanctions didn’t stop crime - they just made compliance harder for honest users.