Though blockchain-enabled cryptocurrencies were initially hailed as new ways to make private financial transactions, the reality isn’t quite that simple. Many blockchain records are public, allowing people to track transaction histories of accounts. And due to some KYC and AML requirements, accounts may be able to be traced back to the individuals controlling them.
Enter Tornado Cash, a program that allows deposits to, and withdrawals from, a pooled crypto fund. This breaks up direct connections between senders and receivers of crypto, allowing for greater privacy in crypto transactions. However, concerns over the misuse of this technology for money laundering have resulted in scrutiny—and even sanctions—from regulatory agencies.
So what is Tornado Cash, exactly? How does it work? And why is it controversial enough that the US government has banned its use? Read on to find out.
What is Tornado Cash?
Tornado Cash is a crypto transaction privacy program developed on the Ethereum blockchain. It allows a user to deposit several types of cryptocurrency into a shared pool, then receive a transaction key. A user can later input the key to withdraw crypto from the pool into a different crypto wallet.
How Does Tornado Cash Work?
The purpose of Tornado Cash is to act as a privacy-enhancing intermediary in crypto transactions. Usually, crypto is exchanged directly between two parties, leaving a record linking the sender to the receiver.
Tornado Cash works to break this link by taking crypto deposits, disassociating them from their senders, and then giving them back out to any other party that has a deposit’s associated security key.
Here’s a summary of how Tornado Cash works:
- A user chooses a cryptocurrency and the amount they want to deposit to Tornado Cash.
- The user connects their crypto wallet to Tornado Cash to facilitate the transaction.
- Tornado Cash generates a security key specific to the deposit, which the user copies.
- Once the transaction is authorized and completed, Tornado Cash puts the deposited crypto in a shared pool, where it’s disassociated from the depositor’s crypto wallet address. This is known as “crypto tumbling” or “crypto mixing.”
- A person who has a deposit transaction’s associated security key can use it to withdraw crypto from the balance into their own crypto wallet.
A person withdrawing crypto from Tornado Cash may also use a “relayer” program. A relayer takes a withdrawal request, then files it with Tornado Cash on the user's behalf. So the person can withdraw crypto from Tornado Cash without having the withdrawal transaction directly linked to their crypto wallet address, further protecting their privacy.
Is Tornado Cash Illegal?
Tornado Cash is currently illegal in the United States. The reason for this is that it subverts Ethereum’s default blockchain structure of having all transactions on the blockchain be public.
Under this setup, a person‘s personal information isn’t attached to their crypto transactions, but their crypto wallet address is. This allows a person’s transaction history to be traced and possibly linked back to the person’s true identity in some circumstances.
Tornado Cash gets around this by allowing users to deposit crypto into a shared pool, and then withdraw part or all of the balance from the pool later by using an associated security key. The pool’s protocols work to disassociate depositors’ addresses from the crypto they contribute. So a user must only know a deposit transaction’s corresponding security key to withdraw from the balance again. They don’t have to be the same person who made the deposit.
This means that Tornado Cash makes it impossible to tell what crypto in a pool belongs to which person, and very difficult to tell who is sending crypto to whom (it could even be the same person using a different crypto wallet). This anonymization presents some potential concerns, as we’ll expand on next. But the main problem with this is that this technology is often used by criminals to make it easier to get way with various forms of crypto fraud.
Tornado Cash Sanctioned by OFAC
In August of 2022, the US Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash. The agency claimed that Tornado Cash enabled money laundering by failing to balance its transaction-anonymizing capabilities with sufficient controls to prevent criminals from depositing stolen crypto. This included over $455 million worth of crypto assets believed to have been stolen that year by a North Korean hacker group.
Because of these Tornado Cash sanctions, it’s currently illegal for US citizens, residents, and companies to use Tornado Cash for depositing or withdrawing crypto.
Let Unit21’s AML Platform Protect Your Business Against the Risks of Crypto Tumblers
Critics of Tornado Cash’s OFAC sanctioning claim that the program has many legitimate uses, like anonymously donating funds to people living under oppressive regimes. However, it’s also true that Tornado Cash can be – indeed, has been – used for financial crimes like money laundering. So the Tornado Cash sanction could be a sign that further regulation of similar “crypto mixing” and “crypto tumbling” services is coming in the future.
In the meantime, it’s vital for financial institutions and money services businesses to know about the potential risks associated with programs like Tornado Cash. It’s also crucial for their AML compliance program to take these risks into account.