Skip to content
Home » Tornado Cash: Will Regulators Strike Again?

Tornado Cash: Will Regulators Strike Again?

DeFi is supposed to be different. Trustless, autonomous, decentralized. Or is it?

The latest regulation concern has put these features to the test, and the result is not good. It’s an example of how regulations can end promising projects overnight — and how the same can happen to any app. If you thought that legal authorities were on the margin of DeFi, think again.

This August 2022, the US Treasury blacklisted Tornado Cash, an Ethereum application that we believed to be immutable and decentralized. And while it’s not entirely shut down, it disbanded the organization and permanently removed the website. Not only market valuations have plummeted, but the OFAC will sanction U.S. persons for interacting with the platform.

Not so tamperproof after all.

You see, regulators can’t regulate without visibility and control. Tornado Cash was enabling private, anonymous transactions, so they stepped in. Chances are it’s not the last time we’ll hear of such incidents.

So what will it mean for the DeFi space? Let’s start with Tornado Cash to find out.

What is Tornado Cash?

Tornado Cash is a decentralized application (or dApp) that runs on Ethereum Mainnet and BnB Smart Chain. It’s attached to the Tornado Cash token (TORN), which has an ERC-20 and BEP-20 contract address for each respective network. This dApp was first hosted on “app.tornado.cash” but later moved to an IPFS URL (an alternative to HTTPS on search) after US Treasury’s intervention. 

Unlike your typical DeFi app, Tornado Cash was not an interest-earning platform. It’s a collection of smart contracts that users access to obfuscate wallet transactions. The Tornado app does that through a mixing process and zero-knowledge proofs, explained later.

It’s a decentralized privacy project (which might remind you of Monero, ZCash, or Secret Network). Better known as a cryptocurrency mixer or tumbler. You may now wonder: Why would anyone want to pay gas fees to mix coins?

Well, even if you keep all your savings in non-custodial wallets (like Metamask), Ethereum, Solana, BnB, and such are public blockchains. They show everything about what you hold, how much, where you send it, and when. And if you’ve ever done KYC on traditional crypto exchanges, it’s really easy to link your identity to WEB3 wallets you use as recipients.

And as you grow your portfolio, it becomes more important to keep your earnings private and secure.

To be clear, neither Tornado Cash nor any dApp can make transactions private on public networks. But it can achieve the same result through the opposite approach. By overwhelming wallets with fake transactions and other obfuscation methods, it’s almost impossible to tell which one is the real one.

If you know anything about money laundering, you can now see how Tornado Cash got into hot water with regulators.

The Rise and Fall of Tornado Cash

At least until 2022, most attention in crypto goes to either blue-chip cryptocurrencies, altcoins with huge market caps, or DeFi apps with 3-4 figure APYs. By contrast, TORN is more of a tool than an investment. It’s also stayed below a modest $100M market cap for years.

Tornado Cash launched in August 2019, but it didn’t take off until January 2021. From there, TORN would steadily increase its market cap and total-value locked (TVL) until November of 2021 (AKA the end of Bitcoin’s bull run). By then, Tornado went from a $20M TVL to $1.16B TVL and from a <40M market cap to 80M.

However, the price did the opposite. Why? Because its decentralized organization (DAO) increased the TORN circulating supply from <300K to >2.3M (probably for liquidity reasons). TORN prices ranged between $270 and the ATH +$437.41, and after the “money printing,” it fell below $75 and settled below $30 by late 2021.

For the following months, prices and market cap moved sideways and supply was reset between 1M-1.5M (hard cap being 10M). TVL fell to $400M-$500M until the OFAC stepped in August of 2022. And while it’s complex what led to Tornado’s blacklist, there is one metric that raised suspicion about illegal activities

TORN’s trading volume always ranged between $0.6M and ~$3M per day ($1M average). But there were occasional spikes between $10M and $30M. Interestingly enough, the largest volume recorded was $163M, along with many high spikes between February and March of 2022.

Guess what else happened on that range? Two of the largest DeFi cyber-attacks yet: Wormhole for $320M in February and Ronin Bridge (linked to Axie Infinity) for +$600M in March. What a coincidence.

With spikes of +$100M per day, what were the chances that some of that volume came from not just these incidents, but countless illegal businesses?

By April, US regulators traced Lazarus Group, who was behind Ronin’s hack and did launder funds through Tornado Cash. Tornado’s investigation followed until OFAC blacklisted it in August of 2022. And while the TVL and price dropped by 80% (still until November), TORN still averages $1M of daily volume.

How Does Tornado Cash Work?

So how does Tornado Cash mix transactions in public networks? The answer is in zero-knowledge proof (ZKP). It’s a way of verifying transactions without having to disclose their details. In other words, trustless.

It’s hard to imagine how ZKP works because there aren’t any real-world cases, only in mathematics. The closest example is password hashes. Computers can tell if your password is correct or not without having them stored, and mobile phones can identify your screen-lock fingerprint without having to know who you are.

If ZKP were a number-only password, the computer would convert it to a hash or ID, which is the result of applying an algorithm to your input. For example, if your password is 1000, and the algorithm is “(X+X)/5,” then the hash would be “(1000+1000)/5,” which is 400.

It doesn’t matter what equation developers create. What matters is computers store the hash, and if the password you type results in the same one (400), you’ve proven the password is correct without having to store it (1000).

Also reverting the hash to the password is almost impossible. Even if you know it’s 1000, many formulas lead to 400. Sometimes, thousands of formulas lead to the same hash with the same formula.

So when you deposit coins in Tornado Cash, you get a secret ID to verify what coins you committed without having to know your wallet. That means you can connect to the app using another wallet, enter the same ID, and withdraw funds without any links to the previous one.

The more people deposit intTornado Cash, the more anonymous.

How To Interact With Tornado Cash?

Now that the US Treasury has blacklisted the app, can you still interact with Tornado Cash?

You can. But first, a few warnings:

  • The OFAC will sanction whoever interacts with Tornado on transactions. So if you’re a US person and want to use it, make sure you’re using a private connection. 
  • For security reasons, we won’t share the IPFS and RPC addresses. But you should easily find them after a quick search. 
  • Crypto mixers are NOT money-laundering tools. Just because it’s very hard to trace, it’s not impossible. So if transactions are linked to multi-million dollar hacks like Ronin’s, you can be sure that prosecutors will put in the effort and find out.

With that said, the first step to use Tornado Cash is the same one as for any dApp: get a Web3 wallet. If you don’t know how, here’s everything about crypto wallets and how to create one on Metamask. Once you have a balance on Ethereum Mainnet, you’re ready to use Tornado Cash:

  1. Find the alternative URL to https://app.tornado.cash. That URL starts with “ipfs://“, which is a decentralized version of HTTPS and can’t be shut down. Paste it to load the classic Tornado app.
  2. Add RCPs. You’ll likely encounter the error: “All predefined RPCs are down. Select Custom RPC in Settings.” There are different RPCs you’ll find online, and as long as they work, it doesn’t matter which one you choose. If they’re all down, you can still use Ankr’s RPCs, which are decentralized and always available.
  3. Select your token and amount. Tornado supports ETH, WBTC, DAI, cDAI, USDC, and UDST. You can only choose among 4 amounts in factors of 10 (e.g., 1ETH, 10 ETH, 100ETH…). That’s because each amount is a standalone instance that improves anonymity (similar to dollar bills. There isn’t, for example, a “$110 note” but you can get a $100 bill and a $10 one). If your amount is between those ranges, deposit the lowest one multiple times.
  4. Connect your wallet. You only need to connect if you’re depositing. Link your Metamask or WalletConnect if you’re using multsig wallets like Gnosis Safe.
  5. Confirm the smart contract. A pop-up later appears in your wallet where you preview the gas fees, pay, and confirm.
  6. Save the note. After confirming, Tornado App will show a note that you must use to withdraw funds later. Just like seed phrases, it’s the only way to access the balance, and no one else should know the code.
  7. Choose when to withdraw. Next to the deposit window, there are statistics to see how many deposits from others happened after yours. With a $1M daily volume, there should soon be enough to obfuscate the transaction. The more you wait, the less traceable.
  8. Withdraw your funds. On the Withdraw tab, you enter the note you saved and the address where you want the coins. You can choose the same wallet (which would be pointless), another Metamask account, or any Ethereum address. Even centralized exchanges. 
  9. Confirm and complete. Assuming the note and wallet address are valid, you click Withdraw, then Confirm (no smart contract needed), and it’s done. You’ll find the mixed coins in the new wallet after the next Ethereum block confirmation (every <10 minutes).

Not only does this process work, but it’s a testament to how decentralized DeFi really is, and how governments can do nothing about it. (that’s not to say they’ll make it easy though)

Tornado Cash Shutdown

Yet on 8 August 2022, the OFAC of the US Treasury blacklisted Tornado Cash. From that date:

  • Tornado Cash became illegal in the USA.
  • Web providers took down all pages related to Tornado Cash, app included.
  • The Tornado Cash DAO disbanded, leaving the app discontinued, without further updates.

Several users responded to US sanctions by withdrawing funds from Tornado. TVL and TORN prices fell and never recovered. At this point, people only use Tornado Cash for its utility and not for its investment potential.

If you’re wondering how it’s still running, the short answer is decentralized web services (IPFS domain and RPCs like Ankr’s).

You can think of DeFi apps like vending machines. Even if the company behind it goes bankrupt or disappears, the machine is still there and working (although unsupported).

Now, what does this shutdown mean to other dApps like Tornado Cash?

According to the US Treasury, Tornado Cash was facilitating money laundering. After the Ronin hack discovery, that was enough proof to take legal action. The blacklisting was effective to dissuade its usage but not to stop user activity. Tornado keeps mixing millions every day.

Whatever TORN alternatives there might be, regulators can do the same as with Tornado as soon as they gain popularity. The only way to avoid shutdowns (and thus price impact) is to use decentralized web infrastructure from the start. 

Tornado Cash Founder Arrested

2 days after OFAC’s intervention, the Dutch authorities arrested a developer behind Tornado Cash, Alexey Pertsev. Alexei also previously worked with a Russian Intelligence Service, which the OFAC sanctioned in 2018. For at least 90 days, Alexei would stay in jail for facilitating money laundering on TORN and crime suspicions related to this second entity.

What happened to Alexei may happen to other Tornado developers in the next months. Also note that authorities haven’t charged him with any crimes. Until his jail time ends on November 8th, the decision is still unclear. 

Earlier in August, there was a small protest against the arrest. After all, coding isn’t a crime. And while cyber-attackers did use Tornado Cash, would US authorities arrest a gun maker for someone else’s public shooting?

The typical intervention is to prosecute criminals, not software developers. Because hackers don’t have identities in privacy dApps, the only regulation attempt was to shut down Tornado Cash. This only encourages them to use coin mixer alternatives.

Are There Tornado Cash Alternatives?

Fortunately, the Tornado Cash shutdown isn’t the end of privacy projects. Many have been around for years, and new ones will keep appearing despite the incident. The three types you can find are coin-mixing dApps, swap websites, and privacy coins.

Only two dApps are close to replacing Tornado Cash: Cyclone Protocol (CYC) and ZK.Money. While many others offer the same (privacy through zero-knowledge proofs), these two offer the best rates and features. Cyclone, in specific, is a Tornado Cash fork with the same functionality but also works in BnB Chain, Polygon, IoTeX, and Ethereum.

Note that none of the alternatives have comparable volumes. Tornado Cash trades millions daily while the next most popular, Cyclone, has at best a $20K volume and $150K TVL. Not because of that they’re “worse” than Tornado, and it can be an advantage to fly under the radar of regulators.

As for mixer alternatives:

  • The most used privacy coins are Monero, Grin, and ZCash. These use different obfuscation methods to make public transactions untraceable. And while buying these coins won’t make you anonymous, for example, using the Monero network for payments will.
  • There are also swap websites to anonymously convert tokens (but you can use the same one just for mixing). First you enter the token, amount, and your destination wallet (doesn’t need to be Metamask). Then, you send crypto to a designated address, and once it arrives, the platform sends the swapped tokens to your wallet minutes later. Some swap examples are Unijoin, Godex, and Coinomize.

Swap websites are the easiest to use but also the least reliable. They’re middlemen platforms that regulators can shut down anytime, should they be linked to money laundering. Privacy networks are the most secure but not as practical, because privacy relies on you not withdrawing coins from the network. Mixer dApps like Tornado and Cyclone are the most flexible.

Implications for Future Crypto Regulation

DeFi makes it possible to buy financial products and services without middlemen, escrow parties, or regulators. Not only that, but it’s secure and available no matter who or where you are. This approach contradicts traditional regulations, and authorities worry that this freedom may facilitate fraud.

That’s why Tornado Cash was shut down. Or at least, officially. Countless users keep using it as if nothing happened. And even if it were completely deleted to stop bad actors, they’d still find another way.

Unless regulators somehow take down IPFS or Ethereum, it will keep running. And while Tornado might now be a dead project, the TORN price will keep reacting to market sentiment, and the platform volume will maintain until a better mixer comes up.