What is Tornado Cash?
Tornado Cash is a decentralized cryptocurrency mixer or tumbler based on the Ethereum blockchain. It enables users to anonymously transfer cryptocurrencies by pooling and redistributing them, thereby obscuring the on-chain link between the sender and receiver.
The “need” for such a tool arose due to transactions on most popular blockchains, like Bitcoin and Ethereum, being publicly available. While transactions are pseudonymous, anyone could still track a user's spending patterns by observing their public address. If someone were to obtain details of a transaction linked to a user, they could potentially uncover the entire transaction history associated with that address — and possibly the user itself. Thus, it is a tool for those prioritizing absolute anonymity and privacy.
Tornado Cash is used for various legitimate purposes, such as protecting personal privacy, making anonymous donations, and shielding the identity of users in sensitive political environments. However, it has also been implicated in several illicit activities, including money laundering and facilitating the movement of stolen funds, which has attracted the attention of authorities around the world.
How does Tornado Cash work?
Tornado Cash enables users to anonymize their Ethereum transactions by a system of pools, which are also known as "anonymity sets." These pools are essentially Ethereum accounts managed by smart contracts that ensure users can only withdraw the amount they originally deposited.
Each pool is designed to accept specific tokens in fixed amounts. For example, one pool might only accept deposits of 1 ETH, while another might handle deposits of 10 ETH. The Tornado Cash Router contract then aggregates all deposits into these shared pools. As the pools grow in size, it becomes increasingly difficult to trace or link deposits and withdrawals.
Tornado Cash uses a cryptographic method called zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), which allows users to prove that they have a valid transaction without revealing any details about the transaction itself. When a user deposits funds into Tornado Cash, a unique cryptographic hash is generated and stored in a smart contract. This hash, or “commitment,” serves as proof of their claim to the funds.
To withdraw funds, the user provides the commitment and the recipient address. This mechanism ensures that the withdrawal cannot be linked to the original deposit, effectively anonymizing the transaction. The commitment can be used by any wallet to redeem the ETH, meaning users can withdraw funds to a separate wallet, or even sell the commitment to another person if they so desire.
What is the TORN token?
The TORN token is Tornado Cash's governance token. It was announced in December 2020 and launched in February 2021. It allows holders to vote on on-chain proposals, such as adding new Tornado pools with different parameters, pausing or unpausing token transferability, implementing or amending anonymity mining rewards, and managing the treasury.
Tornado Cash implemented an anonymity mining system to incentivize deposits that stayed in the Tornado pools for sustained periods. Participants were rewarded with anonymity points (AP) based on the duration their assets remained in the pools. These APs could be converted into TORN tokens through an automated market maker (AMM) custom-built by Tornado. The AMM was designed to disincentivize participants from spending their deposits when the total value locked (TVL) in the protocol was low.
In May 2023, an attacker managed to get a malicious proposal passed, granting them control over Tornado Cash's governance system. The attacker used this control to steal hundreds of thousands of TORN tokens and swap most of them for 485 ETH. Following this, the governance token holders voted to resume control over the protocol's operations, passing a proposal to hand back control to the original governance holders.
History, development and legal troubles of Tornado Cash
Tornado Cash was developed as an open-source project by a team of developers, including Alexey Pertsev, Roman Storm and Roman Semenov. It was launched in 2019 and built on research from the Zcash team, which is known for its work in privacy-centric cryptocurrencies.
In May 2020, the Tornado Cash team relinquished control over the protocol, effectively decentralizing it through a contract update known as the Trusted Setup Ceremony. This move transferred governance to the Tornado Cash community via the TORN token, an ERC-20 token used for voting on protocol changes which was launched in 2021.
By this time, the platform had gained significant traction, with the total value locked in its privacy pools growing tenfold to nearly $300 million in 2020 after announcing liquidity incentives.
However, this rise in adoption was accompanied by significant controversies. The protocol was used by malicious actors in several high-profile cryptocurrency exploits, such as the Ronin Network and Poly Network hacks, where stolen funds were laundered through Tornado Cash. These incidents drew increasing scrutiny from regulators.
This scrutiny peaked in August 2022 when the U.S. Treasury's Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash, accusing it of being used to launder over $7 billion in cryptocurrency, including funds linked to North Korean hacker team Lazarus Group. This sanction effectively prohibited U.S. entities from interacting with the protocol. The move drew widespread criticism from prominent cryptocurrency advocates.
Following sanctions on Tornado Cash by U.S. regulators, an entity began sending small amounts of ETH from sanctioned wallets to numerous wallets of well-known individuals in what appeared to be a form of protest. As a result, many of these wallets had – through no fault of their own – interacted with a U.S. sanctioned entity in an action that came to be referred to as “dusting.”
On August 10, 2022, Alexey Pertsev was arrested in the Netherlands for facilitating money laundering.
The U.S. Department of Justice (DOJ) later charged Roman Storm and Roman Semenov with conspiracy to commit money laundering and arrested Storm in August 2023. Storm’s legal proceedings are still ongoing, while Semenov was added to OFAC’s Specially Designated Nationals list and remains at large. Notably, Ethereum co-founder Vitalik Buterin donated funds to a legal defense fund for the Tornado Cash developers.
Pertsev was later sentenced to 64 months in prison on money laundering charges in the Netherlands in May 2024. He was also denied bail as his legal team prepared his appeal.
Despite these challenges, Tornado Cash continues to operate.
Notable cases involving Tornado Cash
Tornado Cash has been implicated in several high-profile cases of cryptocurrency theft and money laundering. Some of the most notable instances include:
- Ronin Network Exploit: In March 2022, the Ronin Network, a sidechain used by the popular game Axie Infinity, was hacked, resulting in the theft of $624 million in cryptocurrency. The stolen funds were subsequently laundered through Tornado Cash.
- Poly Network Exploit: In August 2021, hackers exploited vulnerabilities in the Poly Network, a cross-chain DeFi platform, and stole $611 million. A significant portion of these funds was laundered through Tornado Cash.
- Wormhole Exploit: The Wormhole Network, another cross-chain protocol, was hacked in February 2022, with $326 million stolen. The hackers used Tornado Cash to obscure the origins of their illicit gains.
- Euler Finance Exploit: In March 2023, Euler Finance, a DeFi lending platform, was exploited, resulting in a loss of $197 million. The hackers moved the stolen funds through Tornado Cash.
- Wazir X: In July 2024, Indian exchange Wazir X was hacked by the North Korean Lazarus Group for over $230 million, with the hackers later moving the funds through Tornado Cash.
Disclaimer: This article was produced with the assistance of OpenAI’s ChatGPT 3.5/4 and reviewed and edited by our editorial team.
© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.