Tornado Cash Sanctions

    Tornado Cash is in the news due to the sanctions imposed by the US government and the freezing of $75K of USDC from Circle. The addresses tied to the service have been publicly posted online. (Hint: we also have them in our crosschain address labels table as well). What is Tornado Cash and why would it be targeted by the US government? Why might an address interact with the service? The addresses tied to the service have been publicly posted online. Using those addresses answer the following: How many addresses are still using the service despite the sanctions? Which addresses have been interacting the most with Tornado Cash? Break the addresses down by frequency and volume of tokens and describe how the groups are using the service differently. Is there anything else interesting about its users?

    What is Tornado Cash?

    Tornado Cash is a mixer, a protocol designed to pool funds in an effort to obfuscate the origin of any given transaction. This protocol allows users to send in some cryptocurrency using their own wallets and get it back via different addresses. Its code is designed to mix a user's crypto with a pool of other Tornado Cash users' crypto in a smart contract, making it harder (if not impossible) to track.

    Tornado Cash is also used by some people as a legitimate way to protect their privacy in the still nascent crypto market. When a buyer pays for something using a crypto wallet, the recipient of the transfer has access to the purchaser's public crypto wallet, showing account details and history.

    Based on its official website (which is down now due to the sanctions) Tornado Cash could improve transaction privacy by breaking the on-chain link between source and destination addresses.

    What is The Story?

    on Monday (8th August 2022), Circle, the issuer of the USD Coin (USDC) stablecoin, froze over 75,000 USDC worth of funds linked to the 45 Tornado Cash addresses sanctioned by the U.S. Office of Foreign Assets Control's Specially Designated Nationals and Blocked Persons (SDN) list. This platform was used to obfuscate the trail of previous cryptocurrency transactions on the Ethereum blockchain. In blacklisting Tornado Cash, the Treasury Department said it was going after criminals, who used the service to launder more than $7 billion worth of virtual currency since it launched in 2019.

    In the past, OFAC has placed cryptocurrency wallet addresses on its “Specially Designated Nationals list.” Now the Treasury is targeting the address of a smart contract that enables people to maintain their own personal privacy, according to Peter Van Valkenburgh, director of research at Coin Center, a non-profit cryptocurrency think tank. That is fundamentally different, because now you’re not targeting a particular person who is a known terrorist or member of an enemy state,” said Van Valkenburgh. “You’re targeting a piece of software that exists on a peer-to-peer network on the internet.”

    Blender and Tornado Cash have been linked to Lazarus Group, a cyber hacking group that has carried the largest virtual currency hacks to date. Its victims were Axie Infinity, from which almost $620 million were stolen, and around $20.5 million was used on Blender to launder the illicit proceeds.

    The main reason for the ban is that this protocol was used for money laundering, malicious and hacking activities, and other illegal activities which was helping the hackers to remain anonymous, so no one was able to trace them.

    So, The US Treasury has officially added the following addresses to the OFAC's SDN List:

    • TORNADO CASH (a.k.a. TORNADO CASH CLASSIC; a.k.a. TORNADO CASH NOVA); Website tornado.cash;
    • Digital Currency Address - ETH 0x8589427373D6D84E98730D7795D8f6f8731FDA16;
    • alt. Digital Currency Address - ETH 0x722122dF12D4e14e13Ac3b6895a86e84145b6967;
    • alt. Digital Currency Address - ETH 0xDD4c48C0B24039969fC16D1cdF626eaB821d3384;
    • alt. Digital Currency Address - ETH 0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b;
    • alt. Digital Currency Address - ETH 0xd96f2B1c14Db8458374d9Aca76E26c3D18364307;
    • alt. Digital Currency Address - ETH 0x4736dCf1b7A3d580672CcE6E7c65cd5cc9cFBa9D;
    • alt. Digital Currency Address - ETH 0xD4B88Df4D29F5CedD6857912842cff3b20C8Cfa3;
    • alt. Digital Currency Address - ETH 0x910Cbd523D972eb0a6f4cAe4618aD62622b39DbF;
    • alt. Digital Currency Address - ETH 0xA160cdAB225685dA1d56aa342Ad8841c3b53f291;
    • alt. Digital Currency Address - ETH 0xFD8610d20aA15b7B2E3Be39B396a1bC3516c7144;
    • alt. Digital Currency Address - ETH 0xF60dD140cFf0706bAE9Cd734Ac3ae76AD9eBC32A;
    • alt. Digital Currency Address - ETH 0x22aaA7720ddd5388A3c0A3333430953C68f1849b;
    • alt. Digital Currency Address - ETH 0xBA214C1c1928a32Bffe790263E38B4Af9bFCD659;
    • alt. Digital Currency Address - ETH 0xb1C8094B234DcE6e03f10a5b673c1d8C69739A00;
    • alt. Digital Currency Address - ETH 0x527653eA119F3E6a1F5BD18fbF4714081D7B31ce;
    • alt. Digital Currency Address - ETH 0x58E8dCC13BE9780fC42E8723D8EaD4CF46943dF2;
    • alt. Digital Currency Address - ETH 0xD691F27f38B395864Ea86CfC7253969B409c362d;
    • alt. Digital Currency Address - ETH 0xaEaaC358560e11f52454D997AAFF2c5731B6f8a6;
    • alt. Digital Currency Address - ETH 0x1356c899D8C9467C7f71C195612F8A395aBf2f0a;
    • alt. Digital Currency Address - ETH 0xA60C772958a3eD56c1F15dD055bA37AC8e523a0D;
    • alt. Digital Currency Address - ETH 0x169AD27A470D064DEDE56a2D3ff727986b15D52B;
    • alt. Digital Currency Address - ETH 0x0836222F2B2B24A3F36f98668Ed8F0B38D1a872f;
    • alt. Digital Currency Address - ETH 0xF67721A2D8F736E75a49FdD7FAd2e31D8676542a;
    • alt. Digital Currency Address - ETH 0x9AD122c22B14202B4490eDAf288FDb3C7cb3ff5E;
    • alt. Digital Currency Address - ETH 0x905b63Fff465B9fFBF41DeA908CEb12478ec7601;
    • alt. Digital Currency Address - ETH 0x07687e702b410Fa43f4cB4Af7FA097918ffD2730;
    • alt. Digital Currency Address - ETH 0x94A1B5CdB22c43faab4AbEb5c74999895464Ddaf;
    • alt. Digital Currency Address - ETH 0xb541fc07bC7619fD4062A54d96268525cBC6FfEF;
    • alt. Digital Currency Address - ETH 0x12D66f87A04A9E220743712cE6d9bB1B5616B8Fc;
    • alt. Digital Currency Address - ETH 0x47CE0C6eD5B0Ce3d3A51fdb1C52DC66a7c3c2936;
    • alt. Digital Currency Address - ETH 0x23773E65ed146A459791799d01336DB287f25334;
    • alt. Digital Currency Address - ETH 0xD21be7248e0197Ee08E0c20D4a96DEBdaC3D20Af;
    • alt. Digital Currency Address - ETH 0x610B717796ad172B316836AC95a2ffad065CeaB4;
    • alt. Digital Currency Address - ETH 0x178169B423a011fff22B9e3F3abeA13414dDD0F1;
    • alt. Digital Currency Address - ETH 0xbB93e510BbCD0B7beb5A853875f9eC60275CF498;
    • alt. Digital Currency Address - ETH 0x2717c5e28cf931547B621a5dddb772Ab6A35B701;
    • alt. Digital Currency Address - ETH 0x03893a7c7463AE47D46bc7f091665f1893656003;
    • alt. Digital Currency Address - ETH 0xCa0840578f57fE71599D29375e16783424023357;
    • alt. Digital Currency Address - ETH 0x58E8dCC13BE9780fC42E8723D8EaD4CF46943dF2;
    • Organization Established Date 2019; Digital Currency Address - USDC 0x8589427373D6D84E98730D7795D8f6f8731FDA16;
    • alt. Digital Currency Address - USDC 0x722122dF12D4e14e13Ac3b6895a86e84145b6967;
    • alt. Digital Currency Address - USDC 0xDD4c48C0B24039969fC16D1cdF626eaB821d3384;
    • alt. Digital Currency Address - USDC 0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b;
    • alt. Digital Currency Address - USDC 0xd96f2B1c14Db8458374d9Aca76E26c3D18364307;
    • alt. Digital Currency Address - USDC 0x4736dCf1b7A3d580672CcE6E7c65cd5cc9cFBa9D [CYBER2]. 

    \

    The addresses above are also available in Flipside tables as below:

    Loading...

    Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson in the press release:

    “Virtual currency mixers that assist illicit transactions threaten U.S. national security interests. We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.”

    All U.S. persons and entities are prohibited from interacting with the virtual currency mixer's USDC and Ethereum smart contract addresses on the SDN list. Penalties for willful noncompliance can range from fines of $50,000 to $10,000,000 and 10 to 30 years imprisonment. An estimated $437 million worth of assets, consisting of stablecoins, Ethereum, and wrapped Bitcoin (WBTC), are currently held in Tornado Cash's smart contract addresses. As a result, issuers are expected to take steps to prevent the transaction or redemption of such assets. The new Tornado Cash sanctions apply across the board for U.S. individuals and entities. Simple interactions such as Gitcoin donations, working for the project, running or downloading its software, visiting its website, and depositing/withdrawing from smart contracts could be interpreted as violations. 

    Brian E. Nelson

    Introduction

    September 2021:

    According to news from the Analytic group, PeckShield, the DEX protocol, NowSwap was hacked and lost more than 1 million USD in funds. The attackers stole 535,000 USDT and 158 WETH. USDTs are converted to ETH through the distributed network service, 1inch, and further transferred to the Ethernet Square anonymous trading platform, Tornado Cash. Furthermore, the hackers used an invalid ‘K’ value check in the pair contract of NowSwap to attack the protocol.

    Read More

    \

    In Defense of Tornado Cash

    However, Any system that is used in a bad way and has technical and security problems can cause similar issues and it’s not only related to the Tornado Cash.

    Moreover, in addition to these criminal attacks, there were also some good uses of this service too.

    for example, yesterday (9th August 2022), Ethereum creator Vitalik Buterin publicly acknowledged using Tornado Cash's privacy protocol to donate to Ukraine's war efforts. Buterin's admission comes a day after the U.S. Treasury added Tornado Cash's website and smart contracts to its sanctions list. The move marks the first time the Treasury has sanctioned a piece of code or technology instead of natural or legal persons, raising questions about the action's constitutional legality.

    Read More


    Moreover, before getting banned, Tornado Cash performed several useful activities in order to obey the policies of the U.S. Office of Foreign Assets Control (OFAC).

    Tornado Cash announced that it was using oracle contracts from Chainalysis to block wallet addresses sanctioned by the OFAC. The move comes after the U.S. Department of the Treasury linked North Korean cybercriminal Lazarus Group as an alleged perpetrator for the $600 million+ Ronin Bridge exploit. the hackers have sent approximately $80.3 million worth of Ether (ETH) through Tornado Cash. "Maintaining financial privacy is essential to preserving our freedom; however, it should not come at the cost of non-compliance," said the Tornado Cash team. The Chainalysis Sanctions Oracle can validate if a cryptocurrency wallet address has been included in a sanctions designation from the United States, European Union, or United Nations. But Tornado Cash co-founder Roman Semenov later clarified that the instrument only blocks access to the decentralized application, or DApp, interface and not the underlying smart contract. 

    Read More

    End of the Story

    Analysis

    As mentioned at the start of the bounty, the US sanctions began on 8 August 2022. So, I am going to set this date as the sanction beginning date and in the next step, I am going to:

    • Check how many addresses are still using the service despite the sanctions ?
    • Which addresses have been interacting the most with Tornado Cash?
    • Break the addresses down by frequency and volume of tokens and describe how the groups are using the service differently.
    • Is there anything else interesting about its users?

    November 2021:

    The Squid Game scammers disappeared after taking $3 million from investors. The masterminds behind the Squid rug pull are probably enjoying the good life after stealing more than $3 million in a matter of seconds. The platform explains that fraudsters used the cryptocurrency mixing service Tornado Cash to obfuscate their identities. (a few days after the project was born, users were unable to redeem their proceeds or sell their tokens.)

    Read More

    December 2021:

    $3.2 Million ETH Stolen Via MetaDAO DeFi Protocol Rugpull, After Another Project Pulls 1,100 BNB: A series of DeFi hacks, scams and rugpulls continue as some of the developers from the industry decide to abandon ship after the first signs of correction on the market. This time, a total of $3.8 million in users' funds were stolen. the malicious address had multiple transactions in the TornadoCash funds mixer. funds remain in the Tornadocash coin mixer, which means that tracking of users' funds is most likely impossible. The funds will probably be declared lost.

    Read More

    January 2022:

    Major cryptocurrency exchange Crypto.com has lost roughly $15 million worth of Ethereum (ETH) to hackers, according to blockchain security company PeckShield. Half of the stolen crypto is being laundered with the help of the Ethereum-powered coin mixing service Tornado Cash.

    Read More

    March 2022

    The exploiter behind Ronin’s unprecedented $625 million bridge attack apparently moved some 1,400 ether (ETH) to privacy tool Tornado Cash, and then the remaining 600 ETH during European hours, on-chain data connected to the exploit’s addresses show.

    Read More


    April 2022

    1- Ronin Network’s unprecedented $655 million exploit in March has apparently moved tens of millions of dollars worth of stolen ether (ETH) through privacy protocol Tornado Cash. The funds moved to Tornado Cash were worth upward of $65 million.

    Read More

    2- an address linked to the Ronin Network hack has transferred by 5,505.7 ETH. The vast majority of the Ronin hacker’s funds have been deposited to Tornado Cash, an Ethereum-based coin mixer, in order to launder the stolen funds.

    Read More

    April 2022

    3- Beanstalk Farms, an Ethereum-based stablecoin protocol, was exploited with the total losses skyrocketing to over $180 million. As a result, the native cryptocurrency (BEAN) plummeted by more than 80% in minutes. PeckShield also noted that the attacker withdrew the initial funds to start the hack from Synapse Protocol and deposited most of the stolen assets to Tornado Cash. Interestingly, it appears that the perpetrator donated 250,000 USDC to the Ukraine Crypto Donation wallet!

    Read More

    June 2022

    A total of 18,036.3 Ether (ETH), worth about $21 million, was moved out of the Harmony’s Horizon Bridge exploiter’s primary wallet. These funds were then divided equally three ways and sent to three different addresses in single transactions, respectively, over the next 10 hours. The funds have begun to move into the Tornado Cash Ethererum mixer, signaling that the attacker has no intention of accepting the $1 million bounty offered. The decision to obfuscate the ill-gotten gains answers questions about whether the Harmony team’s offer of just 1% of the $100 million in crypto funds stolen on Friday would be enough to convince the exploiter to return them.

    Read More

    July 2022

    Uniswap lost close to $8 million worth of Ethereum in a sophisticated phishing attack. While the protocol hasn't been compromised by exploiting a vulnerability as initially suspected, the cyberattack has impacted many investors in digital assets. The threat actors used the lure of free UNI tokens (airdrops) to trick victims into granting transactions that gave hackers full access to wallets. In total, the threat actors siphoned 7,574 ETH to a wallet address under their control and quickly moved 7,500 to the Tornado Cash service for mixing (laundering).

    Read More

    So, based on the above data, we can conclude It was not so bad that America imposed these sanctions on Tornado Cash!

    Some of the criminal (hack) activities that were covered via Tornado Cash:

    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...

    Based on the above data, total 48892 unique users have ever interacted with Tornado cash and made 334790 unique transactions. (before and after sanctions)

    After sanctions, there are 279 unique wallets that are still interacting with tornado cash despite sanctions. the number of transactions made by brave users(!) is 1859 TX.

    On the above chart, we can see the hourly number of users who were interacting with Tornado cash since past week till today (breakdown by before and after sanction for a better understanding).

    As we see, despite sanctions, the number of users did not change significantly and there are still active users on Tornado Cash who are performing transactions.

    but anyway, we can clearly see the impact of sanctions during the afternoon of 8th August when the number of users decreased to 0 and 1 for the two hours.

    Also in terms of number of transactions, we can not see a significant impact of US santions on number of transactions made on Tornado cash during the sanctions.

    We can still see there are numerous transactions on Tornado cash and even the highest spike for these numbers have occured on 9th August 16:00 with 155 made transactions on Tornado Cash when it was on the sanction list of US.

    same as previous chart, we can clearly see the impact of sanctions during the afternoon of 8th August when the number of users decreased to 0 and 1 for the two hours.

    On the above charts, we can see Top 10 addresses who had the most interaction with Tornado Cash for All time and also after start of the sanctions.

    As we see, 0xbe4d1e137a24af091be80ae58d652279665e3a27 is the wallet address with the most interaction with tornado cash since the beginning of its era (11188 TX) .

    But after sanctions, we can not see any trace of this wallet on the top 10 list and there is 0x4a72162980676ac2a1161913b083e9358166d3b0 wallet address with 129 transactions on the top.

    The interesting thing is that the only wallet address from the top 10 (all time) who is listed on the top 10 users (after sanction) is 0x3a1d526d09b7e59fd88de4726f68a8246ddc2742. this means the top 10 tornado cash wallets are so loyal to obeying the US sanctions.

    In terms of volume, (ETH Token + Other Tokens, in $USD), we can see the most number of users have made 1000 to 10000 USD transactions on Tornado Cash.

    Moreover, the number of users who have made less than $100 transactions is less than all other types.

    So, we can conclude the most number of Tornado Cash Users are high-worthy (can be called whales)

    On the above charts, we can see the top 10 Tornado Cash users (All time and After Sanctions) based on their Ethereum wallet balance (in USD).

    As we see, 0x75e89d5979e4f6fba9f97c104c2f0afb3f1dcb88 wallet address which belongs to the MEXC exchange, has the most USD balance among other Tornado Cash users (all time).

    After sanctions, the user who have the most wallet balance is 0xd4cd3073df4f3b4d102aed9c5e257f7f12b50d12 with more than 3.8M USD balance.

    This is oblivious that wallet balance of users who made transactions on Tornado Cash after US sanctions is way way less than before sanction users.

    Conclusion

    Based on the above analysis, we have realized:

    • There were numerous criminal transactions that were using the Tornado Cash protocol in the past 1-2 years.

    • Some of the famous and high-worth victim platforms are Crypto.com Exchange, Uniswap DEX, Harmony Bridge, Ronin Network, MetaDAO, Beanstalk farms, Nowswap, and Squid Game token.

    • Penalties for willful noncompliance can range from fines of $50,000 to $10,000,000 and 10 to 30 years imprisonment, so Be careful!

    • There were also positive uses for Tornado cash (for example Vitalik Butrin donate to Ukraine). So, plenty of users think it is not fair to ban this protocol because each technology (even common ones like WhatsApp!) can get used in criminal ways.

    • Total 48892 unique users have ever interacted with Tornado cash and made 334790 unique transactions. (before and after sanctions. After sanctions, there are 279 unique wallets that are still interacting with tornado cash despite sanctions. the number of transactions made by brave users(!) is 1859 TX.

    • Despite sanctions, the number of users did not change significantly and there are still active users and transactions on Tornado Cash.

    • 0xbe4d1e137a24af091be80ae58d652279665e3a27 is the wallet address with the most interaction with tornado cash since the beginning of its era (11188 TX) . But after sanctions, we can not see any trace of this wallet on the top 10 list and there is 0x4a72162980676ac2a1161913b083e9358166d3b0 wallet address with 129 transactions on the top.

    • The interesting thing is that the only wallet address from the top 10 (all time) who is listed on the top 10 users (after sanction) is 0x3a1d526d09b7e59fd88de4726f68a8246ddc2742. this means the top 10 tornado cash wallets are so loyal to obeying the US sanctions.

    • The most number of users (both all time and after sanction) had only 1 interaction with Tornado Cash. So we can conclude that most users on Tornado Cash were one-time users and did not interact with this protocol more than once or a maximum of 5 times.

    • The most number of users have made 1000 to 10000 USD transactions on Tornado Cash. Moreover, the number of users who have made less than $100 transactions is less than all other types.

      So, we can conclude the most number of Tornado Cash Users are high-worthy (can be called whales). But after sanctions, we can see the highest number of transactions and also users have made only $100 $1000 worth transactions. So, we can conclude the volume of transactions after sanctions is less than transactions before that.

    • 0x75e89d5979e4f6fba9f97c104c2f0afb3f1dcb88 wallet address which belongs to the MEXC exchange, has the most USD balance among other Tornado Cash users (all time).

    • After sanctions, the user who have the most wallet balance is 0xd4cd3073df4f3b4d102aed9c5e257f7f12b50d12 with more than 3.8M USD balance. This is oblivious that wallet balance of users who made transactions on Tornado Cash after US sanctions is way way less than before sanction users.

    • The most number of Tornado Cash users have less than $100 balance in their wallets.


    ==Ali3N#8546==

    And on the above chart, we can see the distribution of Tornado Cash users by their Ethereum wallet balance (in USD) (after sanctions and all time).

    On the both charts, we can see the most number of Tornado Cash users have less than $100 balance in their wallets.

    On the left chart, we can see users who had between 1000 to 10000 wallet balance on the second rank but on the right chart we can see users with 10000 to 100000 balance on the second rank.

    Loading...

    On the above chart, we can see the most number of users (both all time and after sanction) had only 1 interaction with Tornado Cash.

    Also on the second rank of both charts, we can see there are users who made only 2 - 5 interactions with tornado cash.

    So we can conclude that most users on Tornado Cash were one-time users and did not interact with this protocol more than once or a maximum of 5 times.

    But after sanctions, we can see the highest number of transactions and also users have made only $100 to $1000 worth transactions.

    Also on the second rank, we can see these transactions were worth 1000 to 10000 USD.

    So, we can conclude the volume of transactions after sanctions is less than transactions before that.

    db_img
    db_img
    db_img
    db_img
    db_img
    db_img
    db_img
    db_img
    db_img
    db_img