In March of this year, suspected North Korean government hackers stole more than $600 million in ether from hyped-up play-to-earn game Axie Infinity in one of the largest crypto hacks in history. The hackers then sent a part of the proceedings ($100 million at the time) through the Tornado Cash, a so-called mixing service designed to obscure the origin of funds.
Tornado Cash is a protocol that allows users to send in some cryptocurrency using their own wallets and get it back via different addresses. Its code is designed to mix a user’s crypto with a pool of other Tornado Cash’s users’ crypto in a smart contract, making it harder—if not impossible—to track. The service’s official site claims that users have deposited more than 3.2 million ETH (roughly $3.5 billion) in the service since it was launched in August of 2019.
Of that $3.5 billion, more than $1 billion—that is almost a third of all the funds that’s gone through Tornado Cash—was “laundered” through the protocol, “the vast majority from thefts and hacks,” according to Arda Akartuna, a cybersecurity threat analyst at blockchain tracking firm Elliptic. A spokesperson for Chainalysis, another blockchain tracking firm, said that the company estimates $1.2 billion of “illicit funds” have gone through Tornado Cash.
“They’re the reason most scammers can scam without fear of retribution,” LP, the founder of the cybersecurity companies RugDoc and Paladin Blockchain Security, told Motherboard in an online chat. LP prefers not to use her full name to protect her privacy.
Tornado Cash wasn't created by criminals, however. Founder Roman Semenov runs a cybersecurity firm called PepperSec, and the service portrays itself as being a privacy tool similar to encryption services like Tor, which can be used by journalists and activists or dark web drug dealers alike. Not only that, but the developers say they have no control over the smart contracts that the system runs on, because they permanently disposed of their cryptographic keys, even as they attempt to implement some form of compliance with the U.S. sanctions regime.
“The proliferation of crimes involving the theft of Ethereum-based assets has made Tornado Cash a uniquely dominant and challenging force in these investigations.”
The existence of Tornado Cash is simply a result of market dynamics, and mixing services have existed for as long as the blockchain. Transactions on public blockchains are viewable by anybody by default, and several types of users—including the privacy-minded, and the criminals—want to hide their movements. Tornado Cash shows the tension between the immutable blockchain, real-world power, and the never-ending cat-and-mouse game between sleuths and privacy enthusiasts. But according to experts, Tornado Cash may be trackable in certain situations.
Yet, it is creating new challenges for law enforcement investigating crimes on Ethereum.
“The use of mixing services to launder proceeds is nothing new, but the proliferation of crimes involving the theft of Ethereum-based assets has made Tornado Cash a uniquely dominant and challenging force in these investigations,” a U.S. prosecutor who has experience investigating cybercrime, and who asked to remain anonymous, told Motherboard.
Tornado Cash’s creators see themselves differently.
“Tornado cash is a privacy protocol. The design of Tornado Cash means that it's uncensorable, permissionless, and completely trustless,” a Tornado Cash community manager who goes by Heimdall wrote in the service’s official Telegram channel in April, explaining how the service works. “Tornado Cash as a project has no special knowledge of who is using the dApp [decentralized application]. There are no admins with a special ability to investigate transactions. Nor can anyone stop someone from using the protocol."
It’s these properties that have made Tornado Cash controversial. And, according to some, operating such services may be illegal in some cases.
“As a general rule, having anything to do with a mixing service is a bad idea. Past operators of these services have found themselves liable under a range of federal laws including operating an unlicensed money transmitting business and money laundering. These are serious crimes that can carry lengthy prison terms,” Preston Byrne, a lawyer that specializes in cybercrime and crypto, told Motherboard in an email. “Without commenting on Tornado Cash specifically, acts like providing help to someone who wants to use the code, uploading a mixing smart contract to a protocol or operating a web app which can hook into a user’s Metamask wallet strays into potentially criminal territory.”
For example, last year, the Department of Justice arrested Roman Sterlingov of money laundering for owning and operating the crypto mixer Bitcoin Fog. Also in 2021, Larry Dean Harmon, the developer of mixing service Helix, pled guilty to charges of conspiracy to launder money and running an unlicensed money-transmitting business. He faces 20 years in prison.
Do you have information about crypto hacks? Do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
The creators of Tornado Cash have long argued that their service is agnostic, and that they can’t do anything to prevent hackers from using it because of the way it’s designed, and because “all we do is write code and publish it on GitHub,” Tornado Chash’s founder Roman Semenov told Bloomberg in March. “This is pretty close to the definition of free speech so writing code cannot be illegal,” he added.
On the free speech point, Byrne said that “it’s correct that merely writing code on GitHub is protected speech in the United States. Without more, mere publication is unlikely to give rise to criminal liability. Doing literally anything other than that risks landing a developer in hot water.”
And Tornado Cash does indeed do more than that. It provides and maintains a user interface with a web application that allows users to send funds to Tornado cash through a browser.
Romanov argues that he and the other developers can't control who uses the service, and “don’t have more access to it than any other users.”
“There’s not much we can do,” he told Bloomberg.
That’s because Tornado Cash uses smart contracts on the Ethereum blockchain, which cannot be changed and which the developers have no control over. In May of 2020, the protocol’s developers burned the cryptographic keys that allowed them to access and modify the smart contract. In practice, this means Tornado Cash’s protocol is now “perpetually self-executing code,” as CoinDesk put it at the time.
In the Bloomberg interview, Romanov also argued that the difference between Tornado Cash and Bitcoin Fog and Helix is that those services were custodial, meaning they held users’ funds, which makes them money transmitters, something that Tornado Cash is not.
After speaking to Bloomberg in March, Romanov told Motherboard that he is now “trying to avoid giving any comments on regulation nowadays, only giving tech talks,” arguing that he and his colleagues “had some bad experience with media lately.” He has since stopped answering messages sent to his Telegram account.
The issue of regulations and sanctions has become relevant recently, after North Korean hackers moved some of the funds they stole from Axie Infinity through Tornado Cash. After the hack, the U.S. government added the hackers’ Ethereum address to the North Korean sanctions list. In practice, that means anyone interacting with that address may expose themselves to U.S. government prosecution and sanctions.
“Generally speaking if an individual or company provided a web portal and customer support line for a mixing service this would be what we lawyers refer to as an ‘unhelpful fact,’” Byrne said, adding that an unhelpful fact is “something that would cause a lawyer to lose sleep at night or grumble in a curmudgeonly fashion while muted on a conference call.”
“Tracing through Tornado Cash is sometimes possible.”
On April 15, after the U.S. government announced the hackers’ wallets were now in the sanctions list, Tornado Cash announced that it was using a service created by Chainalysis to block addresses on the U.S sanctions list from accessing its dApp.
“Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance,” the service wrote on Twitter.
That, however, does not mean the North Korean hackers—or anybody else blocked by the tool—can’t use Tornado Cash at all. They can still use the Tornado Cash smart contracts to mix and launder crypto due to the open, uncensorable, and unchangeable properties of the blockchain.The contracts are “immutable,” Romanov said in a tweet, in response to a question about whether it was a change to the front end only.
Of course, Tornado Cash is not used only by hackers and criminals. Emiliano Bonassi, a blockchain cybersecurity researcher, told Motherboard that he uses it to avoid people being able to trace his crypto transfers and knowing all the movements he makes. And in order to be able to explain how he got some crypto, Bonassi said that he keeps the receipts of his transactions on Tornado Cash in case he has to disclose them. (Tornado Cash provides its users with a digital receipt.)
“Overall, I think projects like Tornado Cash are critical to the creation of true ‘digital cash,’ one that functions with the fungibility and privacy of actual cash, but they pose obvious issues to regulators who want to enforce existing laws,” Ben Schmidt, the co-founder of blockchain cybersecurity company PolySwarm, told Motherboard in an email. “Enforcing current anti-money laundering laws and similar in such systems is difficult to impossible, so it is likely that future, more widely-used systems will have to find some compromise between user privacy and preventing abuse."
As effective as Tornado Cash is, it is not bulletproof.
LP said that she and her team have successfully traced crypto that moved through Tornado Cash. As she explained, that’s possible “if there is a large deposit, low liquidity, or the funds are being shuttled into a smaller blockchain, they are still traceable. You can essentially start looking for withdrawals that are the same as your deposit or withdrawn in a specific time period around a deposit to match them.”
“Tornado is still key in washing funds for both the average scammer and the sophisticated one. It’s just that the average scammer thinks that by just using Tornado they are now untraceable which probably isn’t true and sophisticated hackers will use Tornado as part of a larger and more successful process in washing stolen funds,” she said.
Tom Robinson, the co-founder and chief scientist of Elliptic, confirmed LP’s explanation, saying that “the more liquidity in any mixer, the more effective it will be. You're trying to hide in a crowd, the smaller the crowd, the more difficult it is to remain hidden.”
That means “tracing through Tornado Cash is sometimes possible, depending on exactly how it is used and the opsec of the user,” Akartuna, the Elliptic researcher explained. “We have had success in tracing funds through Tornado Cash in the past.”
On the blockchain, it seems that not everybody can hide forever, not even in a tornado.