On August 8, 2022, the US Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash — an Ethereum smart contract that mixed transactions to preserve privacy. It was the first time the US government sanctioned software itself, rather than a person or entity. The decision sent shockwaves through the crypto industry and raised fundamental questions about free speech, open-source code, and the limits of government power over decentralized technology.
Tornado Cash worked by pooling deposits and allowing withdrawals to unlinked addresses, breaking the on-chain connection between sender and receiver. Users deposited ETH or tokens, received a cryptographic note, and later withdrew to a fresh address. The protocol used zero-knowledge proofs to verify withdrawal rights without revealing which deposit corresponded to which withdrawal. It was used by privacy-conscious individuals, but also by North Korea’s Lazarus Group (which laundered hundreds of millions from crypto hacks through Tornado Cash).
The sanctions made it illegal for US persons to interact with Tornado Cash’s smart contracts — which still existed on Ethereum’s blockchain and continued to function, since they’re immutable code that no one can take down. USDC issuer Circle immediately froze Tornado Cash-linked addresses. GitHub removed the Tornado Cash repository. The project’s website went offline. Dutch authorities arrested developer Alexey Pertsev in August 2022; he was convicted in May 2024 and sentenced to 64 months in prison for money laundering.
The crypto community was deeply divided. Civil liberties groups argued that sanctioning open-source code violated the First Amendment (code is speech) and punished a tool rather than its misuse — like sanctioning the highway because criminals drive on it. The government argued that Tornado Cash was purpose-built for money laundering and that its developers profited from illicit use. The case remains one of the most important legal battles in crypto, with implications far beyond Tornado Cash for the legality of privacy tools, the liability of open-source developers, and the government’s power to sanction decentralized protocols.
Leave a Reply