OFAC Tornado Cash Sanctions: Everything You Need to Know in 5 Minutes

On August 8, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash, a virtual currency mixer, for enabling cybercriminals to launder USD 7 billion in crypto since 2019. 

According to OFAC’s press release, the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group, laundered over $455 million in stolen funds through the mixer. The announcement follows OFAC’s designation of virtual currency mixing service blender.io and enforcement actions related to illicit activity from mixers Bitcoin Fog and Helix. 

Tornado Cash has now been added to OFAC’s list of blocked nationals and persons, known as the Specially Designated Nationals (SDN) and Blocked Persons List. The related wallets that have also been added to the SDN list can be found here. 

The Lazarus Group

Sanctioned by the US in 2019 in the largest known virtual currency heist to date, the Lazarus Group commonly uses virtual currency mixing services in crypto heists to help fund North Korea’s nuclear and ballistic missile programs. According to TRM Labs, these heists are a key technique of funding the “cash-strapped” DPRK government. 

“Over the last year or so, we’ve moved from a post 9/11 world into a new digital battlefield,” said head of legal and government affairs at TRM Labs, Ari Redbord. “Nation-state actors know to go after crypto businesses to fund real weapon proliferation. It’s not just some hackers trying to fund a lifestyle.”

According to a report from the UN Security Council’s Panel of Experts on North Korea, cyber actors of the DPRK stole a total of $400 million worth of cryptocurrency in 2021. These cyberattacks “made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK controlled addresses.” 

Earlier this year, UN panel coordinator Eric Penton-Voak said North Korean hackers were at the cutting edge of cyber technology, as shown in the recent Axie Infinity video game hack. 

Regulating decentralized crypto entities 

Commenting on the Tornado Cash story for ComplyAdvantage’s Uncover podcast, Tom Robinson, Chief Scientist and Co-Founder at Elliptic, noted: “I believe this is the first time a decentralized protocol has had sanctions imposed on it.” Robinson argued it raises interesting questions about how effective sanctions can be on platforms like Tornado Cash. As there isn’t a central organization to target, sanctions applied to decentralized entities instead must focus on reducing the efficacy of the services they offer.

Listen to the full episode here. 

Key takeaways

Compliance teams should ensure they are implementing these new sanctions and adjust their anti-money laundering and combatting the financing of terrorism (AML/CFT) controls accordingly, keeping in mind that cryptocurrency mixing is a growing area of high-risk activity.

Compliance staff should also ensure blockchain analysis tools are used to identify wallets and transactions that may have “tainted funds” or exposure to Tornado Cash addresses. 

Additional information on illicit financing risks associated with mixers and other anonymity-enhancing technologies in the virtual asset ecosystem can be found in the 2022 National Money Laundering Risk Assessment.