Sanctions against Mixing Services
Looking at the impact of Blender.io and now Tornado Cash being designated.
The are many benefits to cryptocurrency including financial privacy, where no centralised function knows who has paid what, and to who. Cryptocurrency transactions are only partially anonymous, with the flow of transactions being publicly available on the blockchain.
Mixing services are designed to break the links between one set of currency and another, so the holder can remain private. To some they are a valuable tool for privacy, to others a route for money laundering.
Mixing services are now becoming targets for sanctions, with the US Treasury targeting Tornado Cash after huge sums linked to North Korea passed through them.
Mixing
Cryptocurrency transactions are traceable due to the public nature of the blockchain. It is possible to show the source and destination of a transaction, as well as clustering and linking addresses to online or real-world services such as Exchanges or Marketplaces. Transactions are effectively pseudonymous.
Mixers claim to offer financial privacy. Currency sent into the mixing service will be ‘mixed’ with other currency and paid out to a user for a fee. The new currency will be disconnected from the old. Mixers improve transaction privacy by breaking the on-chain link between recipient and destination addresses.
There are a few reasons to use a mixer. You wish to hide the source of your funds, perhaps to purchase something where you do not want your addresses to be visible to the seller, or to appear in their records. This is a likely use for those paying to Darknet markets, who have a history of being attacked and having records published.
You may also wish to launder your funds, disconnecting their source from their destination so the new funds can be spent without their source, which may be potentially criminal, being discovered. This is the classic money laundering process.
Smart contract-based mixers removed the need to trust a third party to mix or exchange funds. The non-custodial nature of these services, mean that users are in control of their funds.
Tornado Cash
Tornado Cash described itself as ‘a fully decentralized protocol for private transactions on Ethereum’. At its simplest the protocol allowed deposits from one address and withdrawals from another, with all funds being pooled by the service in the middle. The service allows the deposit and withdrawal of fixed amounts.
The underlying Tornado Cash mechanism relies on so called Zero-knowledge Proofs. These allow the prover to convince the verifier not only that some information exists, but that they in fact know the information – without revealing any information in the process. For example, this is like being able to prove your citizenship, and that you have a passport, without giving any of the passport information away.
When you deposit funds into the Tornado cash service you supply a “commitment”, essentially a large random number. Once the funds are deposited, a user receives a "note", which is proof or claim to the deposited funds.
This note is then used by another ETH address to withdraw the same amount of funds that were deposited. When you withdraw funds, you supply a “nullifier” and a zero-knowledge proof that links the nullifier to the commitment.
At the end of the process, you have been able to claim the new funds, proving they are in fact yours, without giving away any information.
Sanctions against mixing services
In May 2021, the US Treasury sanctioned Blender.io. Blender was being used by groups linked to the Democratic People’s Republic of Korea (DPRK). The group carried out the large-scale attack against Axie Infinity and Blender was used in processing over $20.5 million of the proceeds.
Tornado Cash was sanctioned by OFAC in August, with 38 ETH and 6 USDC addresses being designated. It was used to use to launder more than $96 million of funds from the June 2022 Harmony Bridge attack, and at least $7.8 million from the August 2022 Nomad raid.
Sanctions are a political mechanism to bring about change. They are not intended to be punitive, but to bring about a change in activity or policy. The US has a wide range of sanctions against the DPRK, covering shipping, financial services and travel. Cryptocurrency theft has become a widespread mechanism for the DPRK to evade more traditional sanctions that have left it outside of the fiat banking system.
The Treasury sanctioned Blender and Tornado Cash under Executive Order 13694.
“Blender is being designated pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”
The widespread us of mixing services by the DPRK is ostensibly the main driver for the sanctioning of these specific mixing services, although the recent announcements do make reference to wider illicit activity.
Impact of sanctions
The sanctions against Tornado Cash led to it a range of assets being seized and it being unable to access services. These included its Github organisation, the Github accounts of major contributors, any USD Coins in Tornado Cash contracts and links to major RPC providers such as Infura and Alchemy. Circle has blacklisted the USDC addresses which are designated, freezing circa $75,000.
There is some criticism of sanctions from the crypto community, highlighting that Tornado Cash is effectively a dual use service that it can be used for both good privacy enhancing purposes as well as bad.
Ultimately the sanctions against Tornado Cash were inevitable. Widespread use of the service by the DPRK to avoid traditional sanctions could not be ignored by the US Government. It is likely that other services will also be sanctioned in the same way.
One of the main claims of DeFi and other blockchain solutions is their ability to resist regulation and control. The sanctioning of Tornado Cash, and other virtual currency addresses shows that this is not the case, and that the impact of a lack of access to the US financial system cannot be ignored.