The Treasury Department on Monday sanctioned a cryptocurrency firm with ties to a North Korea state-sponsored hacking group for allegedly facilitating malicious laundering—marking the latest retaliatory measures against so-called virtual currency mixing services, which effectively obfuscate cryptocurrency transactions to make them more difficult to track.
In a statement Monday morning, the Treasury announced it was sanctioning Ethereum-based Tornado Cash for allegedly helping to launder more than $7 billion worth of cryptocurrency since its creation in 2019, effectively freezing U.S. assets on the platform and barring Americans from using the service.
Laundered funds included over $455 million stolen by North Korea hacking ring the Lazarus Group in the largest known virtual currency heist to date—when North Korean cyberattackers stole some $620 million from an Ethereum-linked platform for NFT-based video game Axie Infinity in March—the Treasury said.
On its website, Tornado Cash says it has helped nearly 40,000 users obfuscate transactions through more than 150,000 deposits that help “achieve privacy” by using smart contracts to route funds to an address with no ether balance and then send it to a new public address that has no link to the original sender.
In a Monday statement, the Treasury’s Brian Nelson said Tornado Cash repeatedly failed to impose effective controls and “basic measures” designed to stop it from laundering funds for malicious cyber actors and pledged to continue to “aggressively” pursue actions against mixers that launder cryptocurrency for criminals.
The move follows the Treasury’s first-ever sanctions on a virtual currency mixer in May, when it designated Blender.io for allegedly also helping to carry out the Lazarus-backed crypto heist in March—to the tune of more than $20.5 million worth of illicit proceeds.
In addition to the heist in March, Tornado Cash was also used to launder more than $96 million of funds derived from a June hack of blockchain bridge Harmony and at least $7.8 million from an attack on Nomad, which lost about $190 million in a security exploit just last week, according to the Treasury.
Treasury officials this year have unleashed a wave of sanctions to protect against the potential use of cryptocurrency for sanctions evasion and money laundering. Shortly before the first mixer sanctions, the Treasury in April designated a cryptocurrency mining firm for the first time—targeting Switzerland-based Bitriver AG for operating in the Russian technology sector. Also that month, the Treasury designated Moscow-based exchange Garantex for “willfully disregarding” anti-money-laundering obligations and “allowing [its] systems to be abused by illicit actors.”
In a post on its website, crypto policy think tank Coin Center criticized the Treasury’s Monday decision for “sanctioning a tool that is not an alias of any person meriting sanction,” and said the move effectively limits “any American who wishes to use her own money and a freely available software tool to maintain her own privacy—including for otherwise entirely legal and personal reasons.” According to Coin Center, the sanctions also have uncertain legal ramifications because they potentially put Americans who are sent money through a Tornado address at risk of violating the Treasury’s rules—even though they can’t reject the transaction due to the nature of blockchain.