US Sanctions on Crypto Mixers: What the Tornado Cash Case Really Means

7 Jan 2026 | Blockchain Technology | by James Stanitz

On August 8, 2022, the U.S. government did something no one had ever done before: it sanctioned a piece of code. Not a company. Not a person. Not a bank. A smart contract on the Ethereum blockchain - Tornado Cash. That single move changed everything about how regulators see privacy tools in crypto.

What Was Tornado Cash?

Tornado Cash wasn’t a company you could call or a website you could shut down. It was a set of open-source smart contracts deployed on Ethereum in 2019. Its job? To mix cryptocurrency transactions and make them untraceable. Users would deposit ETH or other tokens into a pool, wait a bit, then withdraw from a different address. The system used zero-knowledge proofs to prove ownership without revealing where the money came from. No KYC. No identity checks. Just math and cryptography.

It supported deposits in 0.1 ETH, 1 ETH, 10 ETH, and 100 ETH chunks. That meant small users and big players could both use it. The platform didn’t hold your money - it was non-custodial. Once you sent funds in, the contract handled everything. Even the developers couldn’t touch it after deployment.

Why Did the U.S. Sanction It?

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) didn’t act out of nowhere. Between 2019 and 2022, Tornado Cash processed over $7 billion in transactions. Of that, at least $455 million was traced back to North Korea’s Lazarus Group - a state-backed hacking team already under U.S. sanctions since 2019.

Specific heists linked to Tornado Cash included:

$96 million stolen from the Harmony Bridge hack in June 2022
$7.8 million from the Nomad Bridge exploit in August 2022

Brian E. Nelson, then Under Secretary for Terrorism and Financial Intelligence, said Tornado Cash "repeatedly failed to impose effective controls" to stop bad actors. The Treasury argued that even if the tool had legitimate uses, its scale of abuse made it a threat to national security.

The sanctions banned all U.S. persons - individuals, companies, exchanges - from interacting with Tornado Cash’s smart contract addresses. Any transaction involving those addresses became illegal. Even using the platform from a personal wallet could lead to civil or criminal penalties.

The Unprecedented Part: Sanctioning Code

This was the first time OFAC added a decentralized protocol to its Specially Designated Nationals (SDN) list. Previous targets were entities with physical offices, CEOs, bank accounts. Tornado Cash had none of that. The code ran on thousands of nodes worldwide. No one owned it. No one could turn it off.

Legal experts were stunned. If the government can sanction code, what stops them from banning any open-source tool that *could* be misused? Encryption? Blockchain explorers? Even GitHub repositories?

Crypto developers suddenly faced a new risk: building privacy tools might make them targets. The message was clear - if your software helps criminals, even indirectly, you’re on the hook.

A nerdy developer defends a glowing smart contract while users protest for privacy in Looney Tunes style.

The Trial of Roman Storm

Roman Storm, one of Tornado Cash’s co-founders, was arrested in 2023 and stood trial in New York in 2025. His defense argued he created a privacy tool, not a money laundering service. He didn’t control the code after launch. He didn’t profit from criminal use.

The jury didn’t buy all of it. On August 6, 2025, they convicted him of one charge: conspiracy to operate an unlicensed money transmitting business. But they deadlocked on the more serious charges - conspiracy to launder money and violate sanctions. That split verdict sent a mixed signal: developers can be held accountable, but only if their actions cross a line.

It wasn’t a full win for prosecutors. It wasn’t a win for privacy advocates either. It was a legal gray zone - and that’s what makes it dangerous.

What Happened After the Sanctions?

You’d think the sanctions killed Tornado Cash. They didn’t.

The smart contracts kept running. People still used them. According to blockchain analytics firms, exploiters didn’t stop using Tornado Cash after the sanctions - they just got better at hiding their activity. The platform’s usage dipped briefly, then stabilized. Criminals adapted. Regulators didn’t.

Meanwhile, the TORN token - the platform’s governance token - saw wild swings. It dropped from $15 to under $2 after the sanctions. Then, on March 21, 2025, rumors spread that OFAC had lifted the sanctions. TORN jumped to $15 again within 48 hours. But no official reversal came. The market reacted to noise, not policy.

Exchanges like Coinbase and Kraken scrambled to block Tornado Cash addresses. Compliance teams added hundreds of new contract addresses to their screening systems. One U.S.-based DeFi project reportedly spent $2 million in six months just to avoid accidental exposure.

A courtroom scale tips between criminals and dissidents as a TORN token bounces wildly in Looney Tunes style.

Who’s Really Affected?

The biggest victims aren’t the hackers. They’re ordinary users.

People in countries with unstable banks or oppressive regimes use crypto mixers to protect their savings. A Venezuelan activist, a Ukrainian refugee, a Hong Kong journalist - they might not care about North Korean hackers. They just want to send money without being tracked by their government.

The sanctions made it risky for any U.S. person to interact with any Ethereum address that had ever touched Tornado Cash. Even if you didn’t know it. Even if you got the funds from a friend. Your wallet could be flagged. Your exchange could freeze your account. You could be forced to prove your innocence.

Privacy isn’t just for criminals. It’s for dissidents, whistleblowers, and people who don’t want corporations or governments watching every dollar they move.

The Ripple Effect

Tornado Cash didn’t die - it became a warning sign.

Other crypto mixers like Blender.io were already sanctioned in 2022. Now, new projects are building in ways that try to avoid the same fate. Some are adding compliance layers - requiring users to pass KYC before mixing. Others are moving to jurisdictions with looser rules. A few are experimenting with privacy protocols that don’t rely on centralized relayers or Ethereum at all.

The EU is watching closely. Singapore is debating whether to ban mixers entirely. Brazil is considering a middle path - allowing privacy tools but requiring transaction reporting.

The U.S. model - ban everything that *might* be abused - is becoming the most aggressive approach in the world. But it’s also the least sustainable. You can’t sanction code that runs on a global, decentralized network. You can only make it harder for honest people to use it.

Where Do We Go From Here?

The real question isn’t whether Tornado Cash was used for crime. It was. The real question is: should the punishment be applied to the tool, or the people who misuse it?

If you ban a hammer because someone used it to break a window, you don’t solve crime - you just make it harder for carpenters to build houses.

Regulators need tools that can target bad actors without crushing innovation. They need to understand that not all privacy is criminal. Not all decentralization is lawless. And not every smart contract is a money laundering service.

The Tornado Cash case didn’t end with a verdict. It opened a door - and we’re still figuring out what’s on the other side.

Is Tornado Cash still operational today?

Yes. The smart contracts that power Tornado Cash are still active on the Ethereum blockchain. Even after U.S. sanctions, the code continues to run because no single entity controls it. Transactions still occur, though major exchanges and wallet providers block known Tornado Cash addresses to avoid legal risk.

Can I get in trouble for using a crypto mixer?

If you’re a U.S. person or entity, using a sanctioned mixer like Tornado Cash is illegal under OFAC rules. Even accidental interaction - like receiving funds from a mixer - can trigger compliance alerts, wallet freezes, or investigations. Outside the U.S., rules vary. Some countries ban mixers entirely; others allow them with reporting requirements.

Why did the U.S. sanction a software, not a person?

OFAC targeted Tornado Cash’s code because it’s a decentralized protocol with no central operator. The government couldn’t shut down a company or arrest a CEO - the code runs autonomously. By sanctioning the addresses, they tried to cut off access from U.S.-based users and institutions. It was a legal experiment to see if sanctions could work on immutable blockchain technology.

Did Roman Storm go to jail?

He was convicted of one charge - conspiracy to operate an unlicensed money transmitting business - but acquitted on the more serious money laundering and sanctions violations. He faces fines and possible probation, but not prison time. His case is still under appeal, and the legal precedent remains unsettled.

Are there legal alternatives to Tornado Cash?

Yes, but they’re more complex. Projects like Aztec Network and Tornado Cash 2.0 (a community fork) are building privacy tools with compliance features, such as optional KYC or transaction reporting. Some users now combine mixers with decentralized exchanges or privacy coins like Monero. But no solution is fully immune to regulation - and most still carry legal risk in the U.S.

Will other crypto tools be sanctioned next?

Almost certainly. Regulators have already flagged other privacy-focused DeFi protocols, anonymous DEXs, and cross-chain bridges. The Tornado Cash case set a precedent: if a tool enables large-scale anonymity and has been used by sanctioned actors, it’s at risk. Developers are now designing with compliance in mind - not just functionality.

8 comment

8 January, 2026

Katrina Recto

This isn't about crime prevention. It's about control. They sanctioned code because they can't control people.

9 January, 2026

Mollie Williams

There's a quiet horror in realizing that a mathematical function-something as neutral as prime factorization-can now be declared illegal. We're not regulating behavior anymore. We're regulating thought.

10 January, 2026

Tiffani Frey

I work in compliance at a fintech firm. We added over 300 Tornado Cash-related addresses to our screening system. It’s not just about the hack-now, if a user receives a single satoshi from a tainted address, we have to freeze everything. It’s broken. We’re punishing innocent people because the system can’t tell the difference.

10 January, 2026

Rahul Sharma

Sanctioning code is like banning pens because someone wrote a hate letter 😔. Privacy is not a crime. People in India, Venezuela, Ukraine-they need this. Not all who use mixers are bad. Many are just trying to survive.

12 January, 2026

Gideon Kavali

Let me be crystal-clear: if you build tools that launder money for terrorist regimes, you deserve to be crushed. Tornado Cash wasn’t privacy-it was a criminal enterprise disguised as math. The fact that it ran on blockchain doesn’t make it sacred. It’s software. Software can be illegal. End of story.

13 January, 2026

Brittany Slick

I know people think this is about freedom-but I see it as hope. Even after sanctions, people kept using it. The code didn’t die. That’s the beauty of decentralization. They can’t kill what doesn’t have a heart to stop.

14 January, 2026

greg greg

I’ve been reading up on zero-knowledge proofs and the Ethereum Virtual Machine architecture since this went down, and honestly, the whole thing is a perfect storm of regulatory overreach and technological naivety. The fact that OFAC can’t distinguish between a $0.10 deposit from a grandmother in Ohio and a $100,000 transfer from Lazarus Group means their entire framework is built on a fundamental misunderstanding of how blockchain works-there’s no central metadata, no transaction history that’s inherently tied to identity unless you’re doing chain analysis, which is probabilistic at best, and often wrong. And yet, we’re freezing accounts based on probabilistic flags? That’s not law enforcement, that’s algorithmic witch hunting.

14 January, 2026

LeeAnn Herker

Oh please. Like the government hasn’t been using blockchain analytics to track activists for years. You think they didn’t know this was coming? They didn’t sanction Tornado Cash to stop crime-they did it to scare developers into building backdoors. Next up: banning Tor. Then SSL. Then encryption. Mark my words.