How Tornado Cash works

Unlike traditional financial systems that prioritize users’ privacy, blockchain public ledgers are accessible to everyone on blockchain explorers. Tornado Cash counters this by enabling anonymous transactions through smart contracts and zero-knowledge proofs, specifically zk-SNARKs.

Crypto mixers typically pool and shuffle users’ funds, deduct a fee, and redistribute them. Tornado Cash, however, uses a pool-based system where deposits are commingled in a smart contract, and withdrawals to new addresses are delinked using zk-SNARKs, ensuring anonymity without random shuffling.

Here’s how it works:

At its core, Tornado Cash has smart contracts that break the onchain link between a sender and receiver. When a user deposits a cryptocurrency into a Tornado Cash pool, the smart contract issues a cryptographic note that the user can later use to withdraw the same amount to a different wallet address without revealing the link between the two.

As Tornado Cash is a decentralized protocol, the underlying smart contracts cannot be changed or destroyed by anyone, including the Tornado Cash decentralized autonomous organization (DAO).

The system uses ZK-proofs, which allow a user to prove that they have the right to withdraw a specific amount without revealing what deposit was theirs. This mechanism ensures that deposits and withdrawals are mathematically linked but anonymous.

Tornado Cash is non-custodial, meaning it does not hold user funds at any point. The code runs independently and cannot be altered or controlled by the developers. The funds can remain in the pool for as long as the user likes.

Before sanctions, Tornado Cash was primarily accessed via its web interface by connecting a crypto wallet. Advanced users could also interact with the protocol’s smart contracts directly using a command-line interface.

How Tornado Cash got into trouble

Tornado Cash landed in legal trouble primarily because it was allegedly used to launder billions of dollars in illicit funds, including crypto stolen in high-profile hacks. The Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash on Aug. 8, 2022, under Executive Order 13694.

There were several reasons behind Tornado Cash facing issues with regulators: 

Facilitation of money laundering: Tornado Cash was accused of facilitating money laundering, with the OFAC claiming it processed over $7 billion in virtual currency since 2019, approximately 30% of which was linked to illicit activity, per Chainalysis.Support for North Korean cybercrime: The platform was linked to laundering more than $455 million stolen by the Lazarus Group, a North Korean state-sponsored hacking group.Threat to national security: The OFAC accused Tornado Cash of materially assisting cyber-enabled activities originating outside the US, posing a significant threat to US national security, foreign policy and economic stability.Lack of effective controls: The Treasury highlighted Tornado Cash’s failure to implement adequate Anti-Money Laundering (AML) measures, allowing malicious actors to exploit it.Obfuscation of illicit transactions: According to the OFAC, Tornado Cash was facilitating anonymous transactions by obscuring their origin, destination and counterparties, enabling criminals to hide the proceeds of cybercrimes.

Tornado Cash was designed to obfuscate the entire transaction history. This feature was beneficial for privacy, particularly in use cases like payroll, donations and personal spending, where anonymity can be important. 

However, the very feature that made it attractive for legitimate use also made it appealing to bad actors looking to launder money or conceal illicit transactions. This drew significant attention from regulators, who became concerned about the potential for criminal activities such as money laundering, terrorism financing or other forms of illicit finance.

On March 21, 2025, the US Treasury lifted sanctions imposed by the Biden administration against Tornado Cash. 

Did you know? In August 2022, the US Treasury sanctioned Tornado Cash smart contracts, marking the first time code, not a person or organization, was blacklisted. This sparked a heated global debate over open-source freedom.

Debate around Tornado Cash

The action against Tornado Cash followed similar sanctions against Blender.io in May 2022, signaling a broader regulatory push to address cryptocurrency mixers. Such actions sparked a controversy in the crypto community. 

Critics of regulatory actions on the decentralized crypto mixers argue that sanctioning open-source code and punishing developers for creating privacy-preserving tools pose a threat to free speech and innovation. It undermines the neutrality of blockchain tools and sets a precedent where governments could censor software itself, not just its use.

On the other hand, advocates of hardened regulatory sanctions say it is a necessary step to combat crypto-related crime and that illicit activity cannot be left unchecked. While the protocol does have legitimate uses, the scale of its illicit use, nearly 30% of funds tied to illicit actors, outweighed these benefits. 

They argue that the decentralized, non-custodial nature of the smart contracts in such protocols, which cannot be modified or controlled, complicates efforts to mitigate misuse. This leaves regulators with no option but to take action against the protocol itself to deter similar platforms from operating without safeguards.

The Treasury held that the platform consistently failed to implement effective controls to prevent money laundering by malicious cyber actors. This lack of oversight allowed illicit actors to exploit the service without restriction, prompting the need for regulatory intervention to curb unchecked abuse.

Nevertheless, the case has set up pressing questions about how to balance financial privacy with security and how decentralized, permissionless systems can coexist with traditional legal frameworks.

Did you know? The Tornado Cash protocol is governed by a DAO, allowing tokenholders to vote on upgrades and proposals. Even after sanctions, the DAO continued to operate briefly on-chain.

The efficacy of “sanctions” and their removal

Despite sanctions, Tornado Cash remained operational through decentralized technologies like InterPlanetary File System (IPFS) and Tor. Its resilience led to doubts around the efficacy of sanctions on decentralized protocols and the broader implications for crypto regulation under evolving US policy.

According to Chainalysis, Tornado Cash kept functioning on the dark web despite the sanctions. Its front end was available on the IPFS and via The Onion Router (known as Tor). IPFS is a peer-to-peer, distributed protocol for data storage and sharing, while Tor is open-source software enabling anonymous communication, often called the dark web.

Per Flipside Crypto data, Tornado Cash saw $1.9 billion in deposits between Jan. 1 and June 30 in 2024, compared to $635.696 million in deposits during the same period in 2023.

Unlike centralized services, Tornado Cash is decentralized and autonomous, making it difficult to shut down or control. But the US government targeted associated infrastructure, including GitHub repositories and websites. 

Developer Alexey Pertsev was arrested in the Netherlands on suspicion of concealing illicit financial flows and facilitating money laundering. Two of the co-founders, Roman Storm and Roman Semenov, were charged in 2023 for involvement in more than $1 billion in money laundering.

A Dutch court later suspended Pertsev’s pretrial detention. A US court determined that Tornado Cash’s smart contracts aren’t “property,” though legal experts note this doesn’t clear the founders of other charges. High-profile figures like Vitalik Buterin and Edward Snowden have publicly supported Pertsev in the matter.

The Treasury stated that a review of legal and policy issues regarding sanctions in “evolving technology and legal environments” led to the repeal of sanctions. In January 2025, a US court overturned the sanctions. The ruling came after Joseph Van Loon and other Tornado Cash users filed an appeal against the sanctions, arguing that the OFAC had overstepped its congressional authority by blacklisting the mixer in 2022.

In April 2025, a federal judge in Texas ruled that the US Treasury Department’s sanctions against Tornado Cash were unlawful and barred the agency from reimposing them on the crypto mixer.

Tornado Cash sanctions repeal: What’s next for crypto privacy?

The repeal of sanctions on Tornado Cash marks a pivotal moment for decentralized finance (DeFi) and crypto privacy. It underscores the challenges of regulating permissionless, immutable systems while highlighting the growing legal recognition of code as distinct from traditional property or entities.

For users, the lifting of sanctions restores access to a tool designed for financial privacy, potentially boosting adoption for legitimate use cases like shielding personal transactions or protecting sensitive donations.

However, the repeal does not resolve the underlying tension between privacy and regulatory oversight. Tornado Cash’s continued operation, even during sanctions, demonstrates the resilience of decentralized protocols but also their vulnerability to misuse. 

Regulators worldwide are likely to scrutinize similar platforms, pushing for stronger AML and Know Your Customer (KYC) frameworks, even in DeFi. This could lead to hybrid solutions where privacy tools incorporate voluntary compliance mechanisms to deter illicit activity without compromising user autonomy.

For Tornado Cash itself, the future remains uncertain. While the protocol’s smart contracts are immutable, its governance via the Tornado Cash DAO could evolve to address regulatory concerns, such as implementing optional transparency features for compliant users. 

The legal battles of its developers — Pertsev, Storm and Semenov — are ongoing, and their outcomes could shape public perception and trust in the platform. A guilty verdict could deter developers from building similar tools, while acquittals might embolden innovation in privacy-focused DeFi.

The Tornado Cash saga has also sparked broader discussions about the right to financial privacy in the digital age. Advocates argue that privacy is a fundamental right, especially in an era of pervasive blockchain surveillance, where every transaction is traceable by default. 

Critics, however, emphasize the societal cost of unchecked anonymity, pointing to cases like the Lazarus Group’s exploits. Striking a balance will require collaboration between developers, regulators and the crypto community to ensure privacy tools serve legitimate users without becoming havens for crime.

As the crypto landscape evolves, Tornado Cash will likely influence the next generation of privacy protocols. Emerging technologies, such as advanced ZK-proofs or layer-2 scaling solutions, could enable even more robust privacy guarantees while addressing regulatory concerns. For now, the repeal of sanctions offers a reprieve for Tornado Cash and its users, but it also sets the stage for a new chapter in the ongoing debate over privacy, security and the future of decentralized finance.