Tornado Cash: The Crypto Mixer and Its Sanctions Saga
Here is something that had never happened before 2022. A government sanctioned software. Not a company, not a person. Code. The code was Tornado Cash, a privacy tool on Ethereum, and the twist is what makes it worth your time. Three years later, that code still runs. The sanctions are gone. The developers are the ones in court.
So this is not really a story about a crypto mixer. It is a story about whether you can outlaw math, and whether the person who writes a tool answers for how strangers use it. What follows is what Tornado Cash is, how it works at a high level, and how the whole saga played out. No how-to here. Just the map.
What Is Tornado Cash and Who Built It
So what is Tornado Cash, really? Not a company. Nobody owns it. No office, no support desk, no server full of customer records to subpoena. It is code: a handful of smart contracts pushed onto Ethereum in 2019 that anyone can use and nobody can claw back. That one design choice is why the courts later tied themselves in knots.
Here is the problem it set out to fix. On Ethereum, everything is public. Pay your rent in ETH and your landlord can suddenly see your salary, your savings, every coin you have ever moved. That is the default setting of the chain. Tornado Cash is a coin mixer: it cuts the on-chain trail between the wallet you deposit from and the wallet you pull funds into, giving back a sliver of financial privacy the blockchain never offered.
Three developers shipped it on 17 December 2019: Roman Storm, Roman Semenov, and Alexey Pertsev. They bolted on a TORN governance token and a DAO so the community, not a boss, would steer it. Then came the move that defined the whole legal mess. They threw away the keys. Hold onto those three names, because the courtroom drama is about the people as much as the code.
How Tornado Cash Works Under the Hood
How does it actually hide anything? With math, not with a middleman. Here is the high-level version, no operational detail.
Deposits, the pool, and the anonymity set
Users deposit a fixed amount of ETH or tokens into a shared smart contract, a pool. The amounts are standardized into round denominations, such as 0.1, 1, 10, or 100 ETH, precisely so that one deposit looks identical to every other in that pool. Everyone's deposits sit together. The more people who have used the same pool, the larger the "anonymity set," meaning any single withdrawal could correspond to any of the earlier deposits. Privacy here is a crowd effect: you hide by blending into everyone else who used the same pool. A nearly empty pool offers almost no privacy, which is why the size of the crowd matters so much.
Zero-knowledge proofs and withdrawals
To withdraw, you prove you put money in, without showing which deposit was yours. The math behind that is a zero-knowledge proof, specifically a zk-SNARK. It lets you prove a statement is true and reveal nothing else. The payout can land in a brand-new wallet. And to stop the gas fee from quietly linking your two addresses, a helper called a relayer can pay it for you. No operator vouches for any of this. The cryptography does the vouching.
Immutable and non-custodial
In May 2020 the developers held a "trusted setup ceremony" and burned the admin keys. From that point on, nobody could pause, change, or delete the core contracts. Not a regulator. Not even the founders. They put the website on IPFS, a decentralized file host, so killing a domain would not kill access. The whole thing was built to outlive the people who made it. And it got heavy use: according to Chainalysis, more than $7.6 billion in ETH ran through it between 2019 and the 2022 sanctions, with close to 30% tied to illicit actors.
| Tornado Cash at a glance | Detail |
|---|---|
| Launched | 17 December 2019 |
| Founders | Roman Storm, Roman Semenov, Alexey Pertsev |
| Network | Ethereum (and other chains, including Polygon) |
| Token | TORN (governance, DAO) |
| Type | Non-custodial, immutable smart-contract mixer |
| Status | OFAC-sanctioned 2022, delisted March 2025 |
Tornado Cash Sanctions: The OFAC Legal Saga
This is the part that made history. The U.S. government sanctioned software, federal courts said it could not, and prosecutors went after the people behind it anyway. All three things are true at once, which is why the case is so tangled.
Why OFAC sanctioned Tornado Cash in 2022
OFAC put Tornado Cash on its sanctions list on 8 August 2022. That had never been done to open-source code before. Treasury's case: the protocol had moved more than $7 billion in crypto since 2019, including over $455 million stolen by the Lazarus Group, North Korea's state hacking crew, from the Ronin bridge heist. The reaction was instant. The website and the GitHub repositories came down. Circle froze about $75,000 in USDC parked at flagged addresses.
Then things got weird. Because anyone can push funds through the protocol to any wallet, a prankster started "dusting" celebrities with tiny Tornado Cash deposits. Suddenly those people had technically touched a sanctioned address, through no choice of their own. You cannot really serve papers on a smart contract. The old sanctions playbook just did not fit a tool with nobody at the wheel.
The arrests and the trials
The criminal cases against Tornado Cash developers landed in two countries. The Netherlands moved first. Dutch prosecutors arrested Alexey Pertsev days after the sanctions, and in May 2024 a court convicted him of money laundering and gave him 64 months, tied to roughly $1.2 billion in transactions. The U.S. went after Roman Storm in the Southern District of New York: money laundering conspiracy, sanctions violations, and running an unlicensed money transmitter.
Storm's defense was simple. I wrote software, I never held anyone's funds, and an author should not answer for what strangers do with open code. Prosecutors saw it the other way. He profited from the tool and kept improving it, they argued, knowing it was washing criminal money. The jury split the difference. In August 2025 it found him guilty on the unlicensed money-transmitting count and deadlocked on the other two. The DOJ wants a retrial, now aimed at October 2026. The third founder, Roman Semenov, is still at large.
How the sanctions were overturned
Meanwhile, a separate civil suit went after the sanctions directly, and it worked. In Van Loon v. Treasury, the Fifth Circuit Court of Appeals ruled on 26 November 2024 that OFAC had overstepped. The reasoning was almost philosophical. An immutable smart contract is not "property" that anyone owns, so it falls outside what the sanctions law lets Treasury reach. OFAC took the hint. It delisted Tornado Cash on 21 March 2025, pulling the protocol and more than 100 addresses off the list.
| Date | Event |
|---|---|
| 17 Dec 2019 | Tornado Cash launches on Ethereum |
| 8 Aug 2022 | OFAC sanctions the protocol |
| May 2024 | Alexey Pertsev convicted in the Netherlands |
| 26 Nov 2024 | Fifth Circuit rules the sanctions unlawful |
| 21 Mar 2025 | OFAC delists Tornado Cash |
| Aug 2025 | Roman Storm split verdict in New York |
Why Sanctioning Tornado Cash Was Controversial
The fight was never really about one tool. It was about whether a government can sanction software and jail the people who write it. Sanctions were designed for entities you can serve papers on: a bank, a cartel, a person. Tornado Cash had none of that. There was no one to negotiate with and nothing to switch off, so the sanction effectively told ordinary Americans they could be punished for touching a piece of code.
That set off a genuine clash of principles. On one side, financial privacy advocates and groups like Coin Center and the EFF argued that private transactions are a legitimate need, that publishing code is a form of protected speech, and that punishing authors chills all open-source development. If shipping a privacy tool can land you in prison, the reasoning goes, far fewer people will build one. On the other, Treasury and prosecutors pointed to real harm: hundreds of millions in stolen funds, much of it flowing to a hostile state's weapons program. Neither side was simply wrong. Plenty of honest users wanted privacy, and plenty of criminals used the same anonymity set to hide. That overlap is exactly what made the case so hard to resolve cleanly, and why reasonable people landed on opposite sides.
Is Tornado Cash Legal or Available Now?
Here is the honest, current answer. The protocol itself is no longer sanctioned: the March 2025 delisting means interacting with Tornado Cash is not, on its own, a sanctions violation for a U.S. person. The immutable contracts are still on Ethereum and still run, which answers a common question directly. No, it cannot simply be shut down, because there is no off switch and no operator to compel.
That does not make it a free pass. Using any tool to launder stolen money or to transact with sanctioned parties remains illegal, delisting or not. Banks and exchanges also still treat funds that have passed through a mixer as higher risk, so a withdrawal can get flagged or frozen at the point you try to cash out, even when the protocol itself is legal. And the Roman Storm retrial, expected around October 2026, keeps the developer-liability question wide open.
Usage tells its own story. The numbers below show a protocol that dipped under sanctions and then recovered once they were lifted.
| Tornado Cash usage | Figure |
|---|---|
| Total ETH mixed, 2019 to 2022 | over $7.6 billion (Chainalysis) |
| Volume processed in 2025 | about $2.5 billion |
| Total value locked, Nov 2025 | about $1.5 billion (record) |
| Total value locked, mid-2026 | about $460 million (DeFiLlama) |
The code clearly survived the sanctions, and the usage came back with it.
What Tornado Cash Means for Crypto Privacy
Whatever happens to Storm, the case already drew the lines. The Fifth Circuit ruling makes it much harder to sanction immutable code outright, and that shields a whole class of privacy tools and ownerless protocols. But the open criminal charges cut the other way. A developer can still face personal risk if strangers misuse the code, even with no funds touched and no service run. You can feel the chill in the industry. Some builders now hesitate before shipping anything near financial privacy, and a few have simply left the United States. Privacy against the policing of misuse: that is the question now hanging over everyone who builds money software in crypto, and Tornado Cash is the case they all cite. The Pertsev conviction in Europe and the split Storm verdict in the United States even point in slightly different directions, which leaves developers guessing about where exactly the line sits.
Where the Tornado Cash Saga Stands Now
The simplest summary is that the code won and the people are still on trial. Sanctions on the protocol are gone, the contracts run untouched, and the courts have drawn a line around what OFAC can blacklist. What is not settled is whether writing and releasing privacy software can make you criminally liable for how anonymous strangers later use it. The Storm retrial will push that question further. So the real thing to watch is not Tornado Cash itself, but the precedent: where does the law decide a developer's responsibility ends and a user's begins?
