The US Treasury this week sanctioned Tornado Cash, a cryptocurrency ‘mixer’ that allows users to obfuscate their transactions, over its alleged failure to protect against money laundering.

The move strikes a blow against cybercriminals, who use mixers to launder stolen cryptocurrency, but it has prompted complaints that the US approach to crypto regulation is an “uncontrolled witch hunt”.

Tornado
Cryptocurrency mixers allow users to cover the transaction history of their holdings (Image by Comstock / iStock).

The US Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on Tornado Cash on Monday for failing to impose anti-money laundering (AML) protections. The sanctions mean it can no longer process transactions by US citizens.

“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” said Brian Nelson, undersecretary of the US Treasury for terrorism and financial intelligence.

“Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them,” he added.

Tornado Cash is the second mixer to be sanctioned by the US Treasury, after Blender.io in May. Both have been used by North Korean APT group Lazarus to launder millions of dollars in cryptocurrencies, the US Treasury says.

What is a cryptocurrency mixer?

All transactions on a blockchain, such as those that underpin cryptocurrencies, are recorded and visible to all participants. This means cryptocurrency, including coins and tokens that have been stolen, can be traced as they pass between wallets and exchanges.

Mixers allow cybercriminals to cover their tracks by adding their cryptocurrency to a large pool and returning the equivalent amount, minus a commission. This obfuscates the transaction history of crypto.

In April of this year, the value of cryptocurrency being moved through mixers reached $52m a day, according to web3 research provider Chainalysis.

Tornado Cash is an Ethereum-based mixer that has processed over $7bn in cryptocurrency since it was established in 2019. According to Chainalysis, 18% of these transactions involved sanctioned entities, and 11% involved funds stolen from other cryptocurrency services and protocols. This includes $455m in crypto that was stolen from the Axie Infinity Ronin Bridge protocol, the largest cryptocurrency theft to date.

In fact, Tornado Cash has been used to launder at least some of the funds stolen in every cryptocurrency heist this year, says Andrew Fierman, head of sanctions strategy at Chainalysis.

Will sanctions on crypto mixers cut cybercrime?

“More cryptocurrency is being stolen than ever,” says Fierman. Cutting off Tornado Cash from “compliant cryptocurrency businesses” represents a huge blow for criminals looking to cash out, he says.

Sanctions by the US will make it harder for Tornado Cash to operate in the rest of the world, adds Nick Smart, head of blockchain analysis at crypto compliance service provider Crystal Blockchain. “A mixer needs both trust and liquidity in order to be effective, and these capabilities are hard to replace overnight,” he says. 

However, the move is unlikely to affect ransomware groups, which typically demand ransoms in cryptocurrency, Smart says. “From what we have seen, ransom groups tend not to rely so much on mixing services as it raises suspicion at exchanges,” he says. “They rely more on the victim not disclosing the payment address.

“In addition, most ransomware payments are made in Bitcoin, not Ethereum et al, which Tornado Cash was catering for.” 

Are sanctions on crypto mixers fair?

Not everyone who uses a crypto mixer is a criminal, and some users simply want to protect their privacy. Legitimate customers based in the US will be barred from using Tornado Cash following the sanctions.

However, this was already becoming risky, says Feinman, as other stakeholders in the crypto ecosystem view mixers with increasing suspicion. “These users may unknowingly mix their funds with illicit funds, which may raise flags across the ecosystem considering the increase in compliance controls,” he explains.

“Many virtual asset service providers consider mixers to be high risk, and so if they see their customers using them, it may trigger increased scrutiny and compliance measures – presumably the exact opposite of what the user is trying to achieve.”

Dmitry Gooshchin, co-founder of algorithmic crypto trading platform Endotech, welcomes the crackdown on cybercrime but believes the US’ approach is haphazard. “The government has been slow to establish criteria, yet quick to react,” he says.

“We are seeing continued growth in regulation and sometimes it feels like an unbridled, uncontrolled witch hunt,” he adds. “Overall, as an industry, we wish we would have more considered and collaborative regulatory processes to both protect customers and ensure room for innovation.”

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Can technology fix banking’s ‘dirty money’ problem?