Imagine writing code that helps people protect their financial privacy. You release it as open-source software. No company owns it. No central server controls it. Then, the US government declares your code illegal to use. This isn’t a scene from a dystopian novel. It’s the reality of the Tornado Cash case.
In August 2022, the Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash. This was historic. For the first time ever, the US government didn't just sanction a person or a bank. They sanctioned immutable smart contracts on the Ethereum blockchain. If you are in the crypto space, this moment changed everything. It raised huge questions about who is responsible for how software is used and whether privacy tools can exist legally in the US.
What Is Tornado Cash and Why Did It Get Targeted?
To understand the sanctions, you have to understand what Tornado Cash actually did. Launched in 2019, it was a non-custodial mixing protocol. Think of it like a digital coin laundry. Users deposit cryptocurrency into a pool. Later, they withdraw an equivalent amount to a different wallet address. The link between the deposit and withdrawal is broken using zero-knowledge proofs. This makes it nearly impossible to trace where the money came from or where it went.
The problem wasn't the technology itself. Privacy is a legitimate need. Many users want to hide their spending habits from advertisers or protect their assets from hackers. But criminals found Tornado Cash very useful too. According to the US Treasury Department, over $7 billion had flowed through the platform since its inception. A significant chunk of that-over $455 million-was stolen by North Korea's Lazarus Group. Other high-profile heists, like the Harmony Bridge Heist and the Nomad Heist, also funneled millions through Tornado Cash to wash the dirty coins.
Under Secretary of the Treasury Brian E. Nelson argued that Tornado Cash failed to impose effective controls to stop malicious actors. Because the protocol required no Know-Your-Customer (KYC) checks, anyone could use it anonymously. The government decided that facilitating this anonymity at scale made the tool itself a weapon for money laundering.
The Unprecedented Nature of Sanctioning Code
Here is where things get legally tricky. Usually, OFAC sanctions specific entities. They freeze assets and ban transactions with named individuals or companies. But Tornado Cash is not a company in the traditional sense. It’s a set of smart contracts deployed on Ethereum. Once those contracts were live, no one-not even the creators-could change them. They were immutable.
By adding Tornado Cash to the Specially Designated Nationals (SDN) list, the US effectively banned all American persons and entities from interacting with those specific contract addresses. This meant:
- You couldn't send ETH to a Tornado Cash deposit address.
- You couldn't withdraw funds from it.
- Exchanges had to block any tokens that touched these contracts.
This created a massive compliance headache. How do you police code that runs autonomously? The sanctions didn't shut down Tornado Cash. The smart contracts kept working. Instead, they criminalized the act of using them for US citizens. This distinction is crucial. The tool still existed; accessing it became a federal offense.
The Trial of Roman Storm: A Split Verdict
If the code was the target, who was to blame? The spotlight fell on Roman Storm, one of Tornado Cash's co-founders. In 2023, Storm was arrested in Spain and extradited to the US. His trial in the Southern District of New York became a landmark case for developer liability.
The prosecution argued that Storm knowingly designed the tool to facilitate money laundering and violated sanctions laws. The defense countered that Storm created open-source software with legitimate privacy uses and that he couldn't control how others used it. They compared it to creating a padlock. Just because someone uses a padlock to secure a stolen car doesn't make the lock manufacturer guilty.
The jury delivered a split verdict on August 6, 2025. Storm was convicted of conspiracy to operate an unlicensed money transmitting business. However, the jury deadlocked on the more serious charges of conspiracy to commit money laundering and conspiracy to violate sanctions. This mixed outcome signals deep uncertainty in the legal system. It suggests that while developers might face some liability, pinning full criminal responsibility for decentralized protocols is incredibly difficult.
Impact on the Crypto Industry and Developers
The ripple effects of the Tornado Cash sanctions have been profound. For years, the crypto ethos was "code is law." The idea was that if you wrote clean, secure code, you were good. The Tornado Cash case shattered that notion. Now, developers must ask: "Could my code be used for crime?" If yes, are they liable?
Financial institutions reacted quickly. Major exchanges like Coinbase and Kraken implemented strict screening mechanisms. Any token that interacted with a sanctioned Tornado Cash address got flagged. This often led to frozen accounts for innocent users whose wallets had accidentally touched tainted funds. The fear of inadvertent violation has made many companies overly cautious, sometimes blocking legitimate privacy-enhancing technologies.
For the broader Decentralized Finance (DeFi) ecosystem, the message was clear: regulators are watching. While Tornado Cash was unique in its pure focus on anonymity, other protocols began integrating compliance features voluntarily. Some started allowing blacklisting functions or KYC checkpoints, moving away from the fully permissionless model. This shift raises concerns among purists who believe decentralization requires absolute neutrality.
| Aspect | Before Aug 2022 | After Sanctions (2022-2026) |
|---|---|---|
| Developer Liability | Low/Open Source Norms | High/Criminal Risk Possible |
| Exchange Compliance | Minimal Screening | Strict Address Blacklisting |
| User Access | Unrestricted | Banned for US Persons |
| Protocol Design | Fully Permissionless | Shift Towards Compliance Features |
Recent Developments: Lifting Sanctions?
Just when you thought the story was settled, new twists emerged. On March 21, 2025, reports surfaced that sanctions on Tornado Cash were being lifted. This caused immediate market volatility. The native governance token, TORN, jumped from around $8 to $15 as traders anticipated a return to normalcy.
However, the situation remains complex. The lifting of sanctions doesn't erase the past. It doesn't absolve Roman Storm of his conviction. And it doesn't mean the government has given up on regulating mixers. Instead, it reflects an ongoing negotiation and legal evolution. The incomplete nature of the criminal proceedings and ongoing civil litigation mean the final status is still shaky.
Why would the US lift sanctions? One theory is that sanctioning immutable code proved ineffective. Criminals still used Tornado Cash. The analysis shows that fluctuations in sanctions had negligible influence on exploiters' behavior. Bad actors found workarounds regardless. So, perhaps the government realized that banning the tool didn't stop the crime but did hurt legitimate users and innovation.
What This Means for You
If you are a crypto user in the US, stay vigilant. Even if sanctions fluctuate, the underlying principle remains: interacting with known illicit finance platforms carries risk. Exchanges will continue to screen for "tainted" tokens. If your wallet history includes interactions with sanctioned addresses, you might face difficulties withdrawing funds to centralized platforms.
For developers, the lesson is caution. Document your intent. Build safeguards if possible. Understand that open-source does not automatically grant immunity from financial regulations. The line between a privacy tool and a money laundering service is thin and heavily debated.
The Tornado Cash case is not just about one mixer. It’s a test case for the future of digital privacy. As we move further into 2026, expect more nuanced regulations. Governments won't likely ban all privacy tech, but they will demand accountability. The balance between protecting citizens' financial data and stopping criminals is still being drawn. And right now, the pen is held by regulators, not coders.
Is it illegal to use Tornado Cash in the US?
As of the initial sanctions in 2022, yes, it was illegal for US persons to interact with Tornado Cash smart contracts. However, following reports of sanctions being lifted in March 2025, the legal landscape shifted. Despite this, historical interactions may still flag compliance systems. Always consult current legal advice before using any mixing service.
What happened to Roman Storm?
Roman Storm, co-founder of Tornado Cash, was convicted in August 2025 of conspiracy to operate an unlicensed money transmitting business. The jury deadlocked on more serious charges related to money laundering and sanctions violations. His case sets a precedent for developer liability in crypto.
Why did OFAC sanction Tornado Cash?
OFAC sanctioned Tornado Cash because it was allegedly used to launder over $7 billion, including funds stolen by North Korea's Lazarus Group. The government argued the platform lacked adequate controls to prevent misuse by malicious cyber actors.
Can I still use crypto mixers safely?
Using crypto mixers carries significant regulatory risk, especially in the US. While some jurisdictions may allow them, US regulators view many mixers as potential money laundering tools. Using them can lead to frozen assets on exchanges and potential legal scrutiny.
Did the sanctions stop criminals from using Tornado Cash?
Analysis suggests that sanctions had negligible influence on exploiters' use of the platform. Determined bad actors continued to find ways to use the protocol despite legal restrictions, highlighting the difficulty of enforcing bans on decentralized networks.