The U.S. government has announced sanctions against the Tornado Cash mixer, saying it has been leveraged by threat actors like the Lazarus Group to launder more than $7 billion in illicit virtual currency payments.
Cryptocurrency mixers are legal services that offer more anonymity for users by pooling together streams of cryptocurrency deposits from several different users, for a fee, and then returning them at random values. However, mixers with lax restrictions or controls have also been used by cybercriminals to obfuscate illicit transactions – tied back to virtual currency heists, ransomware payments, fraud or other illegal activity – in order to make them harder for law enforcement to trace. Tornado Cash is the second virtual currency mixer in three months to be sanctioned by the U.S. Treasury Department, which in May announced its first crackdown ever on a currency mixer called Blender.io.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” Brian Nelson, under secretary of the Treasury for Terrorism and Financial Intelligence, said in a Monday statement. “Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”
The sanctions against Tornado Cash – and dozens of Ethereum and USDC wallets associated with the mixer – block U.S. individuals from making financial transactions with these designated entities.
Since it was created in 2019, Tornado Cash has been used by a number of cybercriminals for money laundering, including $455 million stolen by the North Korean state-sponsored Lazarus group. The mixer was also used to launder more than $96 million of cybercriminal funds derived from the June heist of the Harmony blockchain bridge (a tool that helps facilitate transfers between different cryptocurrency tokens) and at least $7.8 million from the Aug. 2 heist of crypto firm Nomad, according to the Treasury Department.
According to a TRM Labs analysis, almost half (over 41 percent) of total funds deposited to Tornado Cash in June and July were tied to hacks and other thefts. The firm also found that North Korean threat actors have used Tornado Cash to launder over $1 billion in stolen funds, including funds associated with the March $620 million Ronin Bridge hack. Tornado Cash was used for smaller heists too, according to the firm, including a July attack on non-fungible token (NFT) platform OMNI to steal 1,300 ETH, worth $1.4 million at the time.
“This is not the first time the Treasury has focused on mixers – they designated blender.io in May – but Tornado Cash has been the mixer of choice for North Korea and other cybercriminals and taking it out has clearly been a national security priority for the US government.”
The Lazarus Group has also used Blender.io in order to process over $20.5 million in illicit proceeds funneled from a $620 million virtual currency heist of a blockchain project linked to online game Axie Infinity. Beyond the Lazarus Group, Blender.io was utilized to help facilitate money laundering for various ransomware groups like Trickbot, Conti, Ryuk and Gandcrab, according to the Office of Foreign Assets Control (OFAC). However, while Blender.io was a centralized mixer, Tornado Cash is a decentralized service and combines users’ crypto through a series of smart contracts that are controlled by an anonymous community of token holders. While this gives users further anonymity, it also presents more challenges for law enforcement.
The U.S. government’s strategy to crack down on ransomware has included targeting illicit cryptocurrency transactions, including ones that transfer ransomware proceeds. In addition to implementing programs aimed at providing support for DoJ and FBI cases involving illicit cryptocurrency transactions, the government has also made efforts to snuff out several of the platforms used by cybercriminals to obfuscate their payments, including cryptocurrency exchanges and services that do not enforce certain anti-money laundering compliance measures. The government has also announced an array of new programs to better target illicit virtual payments, including the DoJ’s National Cryptocurrency Enforcement team, which investigate DoJ cases involving the criminal use of cryptocurrency; and the FBI’s Virtual Asset Exploitation Unit, a specialized team of cryptocurrency experts that will provide support and training for the FBI.
Ari Redbord, head of Legal and Government Affairs with TRM Labs, said the new sanctions represent a message to other crypto mixing services “that they need to bake in compliance controls to thwart money laundering.”
“Today’s action against Tornado Cash is OFAC’s most impactful action to date in the crypto space,” said Redbord. “The size and scale of Tornado Cash makes it a big target for Treasury and for illicit actors who have moved billions of laundered funds through the service. This is not the first time the Treasury has focused on mixers – they designated Blender.io in May – but Tornado Cash has been the mixer of choice for North Korea and other cybercriminals and taking it out has clearly been a national security priority for the US government.”