Guys, what do you think of recent calls for cryptocurrency mixing service, Tornado Cash to be sanctioned?

Tornado Cash has been pretty much in the spotlight recently after a number of exploits were connected to the service with  hackers seeking to launder their ill-gained funds via the system.

Recently, things came to a head when the approximately $620 million attack on Axie Infinity's Ronin Network on March 23rd, identified as the biggest crypto hack to date, was connected by US authorities to Lazarus, an elite state-backed North Korean group of hackers. By then, a fair portion of the stolen funds had already been laundered through Tornado Cash, and it was feared that the funds were being used to finance North Korea's nuclear program.

In a tweet earlier today, blockchain security firm, PeckShield also identified that $358 million of stolen funds from a number of exploiters not limited to the Ronin attack were laundered through Tornado Cash in April 2022 alone.

Is it then time for the US OFAC to move in with additional sanctions or are there other options which can yet be explored? Let's discuss. 

How Tornado Cash Works

According to its website, Tornado Cash uses "smart contracts that accept token deposits from one address and enable their withdrawal from a different address." These smart contracts  work as pools that mix deposited assets from different sources. Once the funds are withdrawn by a completely new address, the on-chain link between the source of the cryptocurrency and its destination will be broken and withdrawn crypto-assets will be anonymized.  

Following the Ronin Network hack, Tornado Cash did seek to introduce systems to prevent hackers from using its network to launder the ETH. This included using a tool developed by compliance firm, Chainalysis, to block OFAC sanctioned crypto wallets. 

Call for Tornado Cash Sanctions

In a very detailed article titled OFAC, the DPRK and the Tornado of Cash published today by LawFare,  senior staff researcher at the International Computer Science Institute in Berkeley, California, Nicholas Weaver called on the US Office of Foreign Asset Control (OFAC) to sanction Tornado Cash to "prevent the DPRK (Democratic People's Republic of Korea) from profiting from the theft". He notes that after hackers quite creatively took control of the Axie Infinity Ronin blockchain and stole all of the deposited Ethereum on the chain, the hackers were able to capitalize on the crypto community's credo supporting anonymity and take advantage of decentralized mixing services to mingle their funds and hide their origins. 

Weaver notes that,  as of early May, the hackers had already transferred 37,000 Ethereum, or roughly $100 million, to Tornado Cash.

"And although the Tornado Cash operators have changed their easy to use web interface  to prevent further deposits, there is nothing that prevents the DPRK from bypassing the web interface to add more Ethereum," he states. " The smart contract itself deliberately provides no mechanism by which it can prevent the inclusion of known dirty money and, by design, can’t tell the source of funds being withdrawn."

Weaver therefore dismisses sanctions compliant activity by the operators of Tornado Cash as "window dressing, a way of claiming to limit money laundering in a way that actually can't limit the use for money laundering." He also alleges that Tornado Cash is not enforcing sanctions, pointing to the fact that Tornado Cash accepted known dirty Ethereum from the group of hackers days after sanctions were issued.

He is calling on the OFAC to consider a creative sanction against Tornado Cash as well as the ETH wallet holding Ronin's stolen cryptocurrency.

"This wallet itself should be listed as a sanctioned entity because it is known to be hiding a large amount of the DPRK’s stolen cryptocurrency," he says. 

And for legitimate users of Tornado Cash for privacy purposes, he warns, "All others who participate in this pool are acting to help hide the DPRK’s ill-gotten gains since they are all contributing to the anonymity set in which the DPRK is hiding. Any withdraws by Tornado Cash users after March 23 are thus contaminated by the DPRK unless the withdrawer publicly discloses the receipt."

This, he says, is a requirement that legitimate users of Tornado Cash should have no problem meeting.

"Tornado Cash was designed so that an honest user of Tornado Cash, when questioned, could show that it was honest Ethereum by presenting the receipt," he notes.

And so, guys, what do you think? Do you think that Mr. Weaver's assertions are reasonable and fair? Also, what are your thoughts about the PeckShield revelation showing that a significant portion of stolen crypto funds were laundered via Tornado Cash in the past month alone? Do you think that the measures taken by the Tornado Cash team is enough? And if not, what else can be done? I'd love to hear your thoughts on this one.

Well, my friends, I'm off again in search of another story. Until we meet again, please remember to be safe, Arrivederci!